PrintNightmare
ABOUT
PrintNightmare is the nickname given to two vulnerabilities (CVE-2021-34527 and CVE-2021-1675) found in the Print Spooler service that runs on all Windows operating systems.
Basically it's just RCE as SYSTEM, via printer driver DLL injection through RPC interface of Print Spooler.
Print Spooler is a Microsoft built-in service that manages printing jobs. It is enabled by default and runs within the SYSTEM context.
MS-RPRN – The main protocol for managing printers and print jobs remotely. It handles tasks like listing printers, sending print jobs, and configuring settings.
MS-PAR – Adds support for asynchronous operations to improve performance. It allows non-blocking calls, like getting print job updates without waiting.
MS-PAN – An extension to MS-RPRN that supports newer features. It enables enhanced printer capabilities used in modern Windows systems.
Requirements
Print Spooler enabled on target (e.g., DC or file server)
RPC/SMB access (ports 135, 445)
Attacker has write access to printer driver path
FLOW
Create a malicious DLL
Host SMB share, or put DLL into accessible share
Trigger DLL install via RPC call
Catch reverse shell or payload (Or do anything depends on your payload)
LINUX
MS-RPRN Enum
DLL Payload Generation
Creating a share
Turning on multi/handler
RESOURCES
Last updated
