关联漏洞
标题:
Microsoft Windows Print Spooler Components 安全漏洞
(CVE-2021-1675)
描述:Microsoft Windows Print Spooler Components是美国微软(Microsoft)公司的一个打印后台处理程序组件。 Microsoft Windows Print Spooler Components存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for AR
描述
Local Privilege Escalation Edition for CVE-2021-1675/CVE-2021-34527
介绍
# Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-34527
Local Privilege Escalation implementation of the CVE-2021-1675/CVE-2021-34527 (a.k.a PrintNightmare). The exploit is edited from published by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370).
Open the project on MSVC and compile with x64 Release mode. Exploit automatically finds UNIDRV.DLL, no changes are required in the code.
## Usage
When executing the exploit, you need to DLL path as the first argument to the exploit. That's it and go!
```
CVE-2021-1675-LPE.exe PAYLOAD_DLL_PATH
```
Exploit has been tested on the fully updated Windows Server 2019 Standard.
<p align="center"><img src="https://github.com/hlldz/CVE-2021-1675-LPE/blob/main/poc.png" alt="CVE-2021-1675 - Local Privilege Escalation" width="1024"></p>
## Cobalt Strike
For Reflective DLL version only, you have to change the DLL path at line 111 in main.cpp file and then compile the project. Load lpe_cve_2021_1675.cna and use lpe_cve_2021_1675 command for execution of Reflective DLL.
<p align="center"><img src="https://github.com/hlldz/CVE-2021-1675-LPE/blob/main/cobaltstrike.png" alt="CVE-2021-1675 - Local Privilege Escalation" width="1024"></p>
## Mitigation
Disable Spooler service
```powershell
Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start " /t REG_DWORD /d "4" /f
```
Or Uninstall Print-Services
```powershell
Uninstall-WindowsFeature Print-Services
```
## References
* https://github.com/afwu/PrintNightmare
* https://twitter.com/hackerfantastic/status/1410069557398679552
* https://twitter.com/0gtweet/status/1410150462842544130
文件快照
[4.0K] /data/pocs/ed7800dd8a865e87993652baa03362254eef3e09
├── [358K] cobaltstrike.png
├── [ 425] lpe_cve_2021_1675.cna
├── [232K] poc.png
├── [1.6K] README.md
└── [4.0K] src
├── [4.0K] CVE-2021-1675-LPE-RDLL
│ ├── [7.4K] CVE-2021-1675-LPE-RDLL.vcxproj
│ ├── [1.3K] CVE-2021-1675-LPE-RDLL.vcxproj.filters
│ ├── [ 168] CVE-2021-1675-LPE-RDLL.vcxproj.user
│ ├── [3.1K] main.cpp
│ ├── [2.7K] ReflectiveDLLInjection.h
│ ├── [ 21K] ReflectiveLoader.c
│ └── [6.9K] ReflectiveLoader.h
├── [2.2K] CVE-2021-1675-LPE.sln
├── [7.1K] CVE-2021-1675-LPE.vcxproj
├── [ 977] CVE-2021-1675-LPE.vcxproj.filters
├── [ 168] CVE-2021-1675-LPE.vcxproj.user
└── [2.8K] main.cpp
2 directories, 16 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。