CVE-2021-1675 PoC — Windows Print Spooler Remote Code Execution Vulnerability

Source

https://github.com/k8gege/cve-2021-1675

Associated Vulnerability

Title:Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-1675)
Description:Windows Print Spooler Remote Code Execution Vulnerability

Readme

## 〖EXP〗Ladon打印机漏洞提权CVE-2021-1675复现

http://k8gege.org/p/CVE-2021-1675.html

### 基本情况

6月9日，微软发布6月安全更新补丁，修复了50个安全漏洞，其中包括一个Windows Print Spooler权限提升漏洞，漏洞CVE编号：CVE-2021-1675。未经身份验证的远程攻击者可利用该漏洞以SYSTEM权限在域控制器上执行任意代码，从而获得整个域的控制权。建议受影响用户及时更新漏洞补丁进行防护，做好资产自查以及预防工作，以免遭受黑客攻击。

### 漏洞描述

Print Spooler是Windows系统中用于管理打印相关事务的服务。

该漏洞在域环境中合适的条件下，无需任何用户交互，未经身份验证的远程攻击者就可以利用该漏洞以SYSTEM权限在域控制器上执行任意代码，从而获得整个域的控制权。

### 影响范围

    Windows Server 2012 R2 (Server Core installation)
    Windows Server 2012 R2
    Windows Server 2012 (Server Core installation)
    Windows Server 2012
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
    Windows Server 2008 R2 for x64-based Systems Service Pack 1
    Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
    Windows Server 2008 for x64-based Systems Service Pack 2
    Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
    Windows Server 2008 for 32-bit Systems Service Pack 2
    Windows RT 8.1
    Windows 8.1 for x64-based systems
    Windows 8.1 for 32-bit systems
    Windows 7 for x64-based Systems Service Pack 1
    Windows 7 for 32-bit Systems Service Pack 1
    Windows Server 2016 (Server Core installation)
    Windows Server 2016
    Windows 10 Version 1607 for x64-based Systems
    Windows 10 Version 1607 for 32-bit Systems
    Windows 10 for x64-based Systems
    Windows 10 for 32-bit Systems
    Windows Server, version 20H2 (Server Core Installation)
    Windows 10 Version 20H2 for ARM64-based Systems
    Windows 10 Version 20H2 for 32-bit Systems
    Windows 10 Version 20H2 for x64-based Systems
    Windows Server, version 2004 (Server Core installation)
    Windows 10 Version 2004 for x64-based Systems
    Windows 10 Version 2004 for ARM64-based Systems
    Windows 10 Version 2004 for 32-bit Systems
    Windows 10 Version 21H1 for 32-bit Systems
    Windows 10 Version 21H1 for ARM64-based Systems
    Windows 10 Version 21H1 for x64-based Systems
    Windows 10 Version 1909 for ARM64-based Systems
    Windows 10 Version 1909 for x64-based Systems
    Windows 10 Version 1909 for 32-bit Systems
    Windows Server 2019 (Server Core installation)
    Windows Server 2019
    Windows 10 Version 1809 for ARM64-based Systems
    Windows 10 Version 1809 for x64-based Systems
    Windows 10 Version 1809 for 32-bit Systems

	
### 版本
Ladon >= 8.6

#### 用法
Ladon CVE-2021-1675 DllPath

#### 例子
Ladon CVE-2021-1675 c:\evil.dll
Ladon PrintNightmare c:\evil.dll

### 本地提权

Win2019
![image](http://k8gege.org/k8img/Ladon/exe/cve-2021-1675/2019_lpe.PNG)

Win2016
![image](http://k8gege.org/k8img/Ladon/exe/cve-2021-1675/Ladon_2021-1675.PNG)

Win10
![image](http://k8gege.org/k8img/Ladon/exe/cve-2021-1675/win10_lpe.PNG)

### 远程提权

Win2016
![image](http://k8gege.org/k8img/Ladon/exe/cve-2021-1675/2016_ISOK.PNG)

### 相关POC
C++、Python、C#、PowerShell
https://github.com/afwu/PrintNightmare
https://github.com/cube0x0/CVE-2021-1675
https://github.com/calebstewart/CVE-2021-1675

### Download

#### LadonGo (ALL OS)
https://github.com/k8gege/LadonGo/releases

#### Ladon (Windows & Cobalt Strike)

历史版本: https://github.com/k8gege/Ladon/releases
7.0版本：http://k8gege.org/Download
8.6版本：K8小密圈

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →