search

PrintNightmare

hashtag
ABOUT

PrintNightmare is the nickname given to two vulnerabilities (CVE-2021-34527 and CVE-2021-1675) found in the Print Spooler service that runs on all Windows operating systems.

Basically it's just RCE as SYSTEM, via printer driver DLL injection through RPC interface of Print Spooler.

Print Spooler is a Microsoft built-in service that manages printing jobs. It is enabled by default and runs within the SYSTEM context.

  • MS-RPRN – The main protocol for managing printers and print jobs remotely. It handles tasks like listing printers, sending print jobs, and configuring settings.

  • MS-PAR – Adds support for asynchronous operations to improve performance. It allows non-blocking calls, like getting print job updates without waiting.

  • MS-PAN – An extension to MS-RPRN that supports newer features. It enables enhanced printer capabilities used in modern Windows systems.

hashtag
Prerequisites

  • Print Spooler enabled on target (e.g., DC or file server)

  • RPC/SMB access (ports 135, 445)

  • Attacker has write access to printer driver path

hashtag
FLOW

  1. Create a malicious DLL

  2. Host SMB share, or put DLL into accessible share

  3. Trigger DLL install via RPC call

  4. Catch reverse shell or payload (Or do anything depends on your payload)

hashtag
LINUX

hashtag
MS-RPRN Enum

hashtag
DLL Payload Generation

hashtag
Creating a share

hashtag
Turning on multi/handler

hashtag
Running exploit [LINK]arrow-up-right

hashtag
RESOURCES

LogoPrintNightmare | The Hacker Recipeswww.thehacker.recipeschevron-right
PreviousPrintersNextTools

Last updated