1
0
Fork 0
mirror of https://github.com/cube0x0/CVE-2021-1675.git synced 2024-12-22 10:46:32 +00:00

Update README.md

This commit is contained in:
cube0x0 2021-07-08 13:10:36 +02:00 committed by GitHub
parent 640d1984cd
commit d2e96c1dc7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -8,6 +8,16 @@ Execute malicious DLL's remote or locally
![](Images/poc2.png) ![](Images/poc2.png)
### Patch update
Microsoft has released a patch to mitigate against these attacks but if these values below are present on a machine, then the machine will still be vulnerable
```
REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators REG_DWORD 0x0
NoWarningNoElevationOnInstall REG_DWORD 0x1
```
### Installation ### Installation
Before running the exploit you need to install my version of Impacket and after that you're gucci Before running the exploit you need to install my version of Impacket and after that you're gucci
@ -89,8 +99,9 @@ REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_
We can use `rpcdump.py` from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable We can use `rpcdump.py` from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable
```bash ```bash
rpcdump.py @192.168.1.10 | grep MS-RPRN rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol Protocol: [MS-RPRN]: Print System Remote Protocol
``` ```
@ -103,9 +114,5 @@ Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
``` ```
Or Uninstall Print-Services
```powershell
Uninstall-WindowsFeature Print-Services
```