Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-1675 PoC — Microsoft Windows Print Spooler Components 安全漏洞

Source
https://github.com/mstxq17/CVE-2021-1675_RDL_LPE
Associated Vulnerability
Title:Microsoft Windows Print Spooler Components 安全漏洞 (CVE-2021-1675)
Description:Microsoft Windows Print Spooler Components是美国微软(Microsoft)公司的一个打印后台处理程序组件。 Microsoft Windows Print Spooler Components存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for AR
Description
PrintNightMare LPE提权漏洞的CS 反射加载插件。开箱即用、通过内存加载、混淆加载的驱动名称来ByPass Defender/EDR。
Readme
# CVE-2021-1675_RDL_LPE
PrintNightMare LPE提权漏洞的CS 反射加载插件。开箱即用、通过内存加载、混淆加载的驱动名称来ByPass Defender/EDR。

> 免责声明:
>
> 本项目只用于学习交流,请在合理授权范围内谨慎使用。

## 快速使用

下载本项目:

Cobalt Strike 加载插件

![image-20210901185333955](README.assets/image-20210901185333955.png)



用法说明:

```
> print_night_mare_lpe dllpath
> elevate -> PrintNightMare-1675 -> choose your listener -> exploit
```



## 效果展示

默认WinSer 2009环境(Window Defender)、WinServer 2016(Window Defender)

自定义DLL路径:

![image-20210901191711862](README.assets/image-20210901191711862.png)



elevate 模块:

![image-20210901191145466](README.assets/image-20210901191145466.png)



>如果最终返回0,说明是可以利用成功的,elevate的实现混淆加载驱动的名称,有可能不太稳定,可以多尝试几次,或者使用`print_night_mare_lpe dllpath` 。
>
>目前只测试过64位,elevate模块也只支持64,32位的话,建议使print_night_mare_lpe 
>
>This project just for fun ,enjoying..



## 漏洞缓解

及时更新系统到最新版
File Snapshot

 [4.0K]  /data/pocs/3b8d264dc84106424b4b2d9bb70ba5ff71bd7e33
├── [4.0K]  module
│   ├── [122K]  CVE-2021-1675.x64.dll
│   ├── [102K]  CVE-2021-1675.x86.dll
│   └── [ 16K]  LPE_Reflect_Elevate.x64.dll
├── [1.9K]  PrintNightMareLpe.cna
├── [4.0K]  README.assets
│   ├── [ 29K]  image-20210901185333955.png
│   ├── [198K]  image-20210901191145466.png
│   └── [202K]  image-20210901191711862.png
└── [1.2K]  README.md

2 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.