07/09/2021 | Press release | Distributed by Public on 07/09/2021 12:34
PrintNightmare
Rapid7 security researchers Christophe De La Fuente, and Spencer McIntyre, have added a new module for CVE-2021-34527, dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as .
Because Metasploit's SMB server doesn't support SMB3 (yet), it's highly recommended to use an external SMB server like Samba that supports SMB3. The Metasploit module documentation details the process of generating a payload DLL and using this module to load it.
CVE-2021-34527 is being actively exploited in the wild. For more information and a full timeline, see Rapid7's blog on PrintNightmare!
NSClient++
Great work by community contributor Yann Castel on their new NSClient++ module. This module allows an attacker with an unprivileged windows account to gain admin access on a windows system and start a shell.
For this module to work, both the web interface of NSClient++ and the feature should be enabled. You must also know where the NSClient config file is as it is used to read the admin password which is stored in clear text.
New module content (2)
Print Spooler Remote DLL Injection by Christophe De La Fuente, Piotr Madej, Spencer McIntyre, Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0, which exploits CVE-2021-34527 - A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the user.
NSClient++ 0.5.2.35 - Privilege escalation by BZYO, Yann Castel and kindredsec - This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.
Enhancements and features
Bugs fixed
Get it
As always, you can update to the latest Metasploit Framework with and you can get more details on the changes since the last blog post from
GitHub:
If you are a user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).