Update README.md

main
cube0x0 3 years ago committed by GitHub
parent 640d1984cd
commit d2e96c1dc7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 17
      README.md

@ -8,6 +8,16 @@ Execute malicious DLL's remote or locally
![](Images/poc2.png) ![](Images/poc2.png)
### Patch update
Microsoft has released a patch to mitigate against these attacks but if these values below are present on a machine, then the machine will still be vulnerable
```
REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators REG_DWORD 0x0
NoWarningNoElevationOnInstall REG_DWORD 0x1
```
### Installation ### Installation
Before running the exploit you need to install my version of Impacket and after that you're gucci Before running the exploit you need to install my version of Impacket and after that you're gucci
@ -89,8 +99,9 @@ REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_
We can use `rpcdump.py` from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable We can use `rpcdump.py` from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable
```bash ```bash
rpcdump.py @192.168.1.10 | grep MS-RPRN rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol Protocol: [MS-RPRN]: Print System Remote Protocol
``` ```
@ -103,9 +114,5 @@ Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
``` ```
Or Uninstall Print-Services
```powershell
Uninstall-WindowsFeature Print-Services
```

Loading…
Cancel
Save