diff --git a/README.md b/README.md index 5b7885d..464095a 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,16 @@ Execute malicious DLL's remote or locally ![](Images/poc2.png) +### Patch update +Microsoft has released a patch to mitigate against these attacks but if these values below are present on a machine, then the machine will still be vulnerable +``` +REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" + +HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint + RestrictDriverInstallationToAdministrators REG_DWORD 0x0 + NoWarningNoElevationOnInstall REG_DWORD 0x1 +``` + ### Installation Before running the exploit you need to install my version of Impacket and after that you're gucci @@ -89,8 +99,9 @@ REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_ We can use `rpcdump.py` from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable ```bash -rpcdump.py @192.168.1.10 | grep MS-RPRN +rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR' +Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol Protocol: [MS-RPRN]: Print System Remote Protocol ``` @@ -103,9 +114,5 @@ Stop-Service Spooler REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f ``` -Or Uninstall Print-Services -```powershell -Uninstall-WindowsFeature Print-Services -```