Rapid7 security researchers Christophe De La Fuente, and Spencer McIntyre, have added a new module for CVE-2021-34527, dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as NT AUTHORITY\SYSTEM
.
Because Metasploit’s SMB server doesn’t support SMB3 (yet), it’s highly recommended to use an external SMB server like Samba that supports SMB3. The Metasploit module documentation details the process of generating a payload DLL and using this module to load it.
CVE-2021-34527 is being actively exploited in the wild. For more information and a full timeline, see Rapid7’s blog on PrintNightmare!
Great work by community contributor Yann Castel on their new NSClient++ module. This module allows an attacker with an unprivileged windows account to gain admin access on a windows system and start a shell.
For this module to work, both the web interface of NSClient++ and the ExternalScripts
feature should be enabled. You must also know where the NSClient config file is as it is used to read the admin password which is stored in clear text.
Print Spooler Remote DLL Injection by Christophe De La Fuente, Piotr Madej, Spencer McIntyre, Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0, which exploits CVE-2021-34527 - A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the SYSTEM
user.
NSClient++ 0.5.2.35 - Privilege escalation by BZYO, Yann Castel and kindredsec - This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.
read_file
method of lib/msf/core/post/file.rb
that prevented PowerShell sessions from being able to use the read_file()
method. PowerShell sessions should now be able to use this method to read files from the target system.apport_abrt_chroot_priv_esc
module where if the apport-cli
binary was not in the PATH the check method would fail.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).